re-markitfql158.exe

The application re-markitfql158.exe has been detected as adware by 2 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 13828 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. This is part of the Revizer line of web browser extensions that inject 3rd-party advertisements in the user's web browser as well as setup a proxy server for the browser in order to track behaviors and display context based-ads from various partners (mostly adware).
MD5:
73ba1d74caeb14368fd2ccbafb0ddb06

SHA-1:
4742705a731cd5047a4588feb4c99ae1bfe2fd2b

SHA-256:
a0248bc881ad687b1df5ecb816bf2a6f8e1cdf9707df4a094e8f3acf9eee27b3

Scanner detections:
2 / 68

Status:
Adware

Analysis date:
11/28/2024 4:30:10 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Adware-BMG [PUP]
2014.9-140416

Reason Heuristics
Adware.Revizer.Remarkit.P
14.4.16.0

File size:
139 KB (142,336 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\re-markit-soft\re-markitfql158.exe

File PE Metadata
Compilation timestamp:
4/12/2014 10:31:07 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
10.0

CTPH (ssdeep):
1536:A9oRFizcT7PHaNBLsuoldgeSNLOJxG9Zx4aaUDADA8FolkZlR8Vi1QU1ivpLj+zb:+oiQPHafolMQw+aADw8+U1mIIwOogB

Entry address:
0xBCD9

Entry point:
E8, 09, 58, 00, 00, E9, 95, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 80, 00, 00, 00, 72, 0E, 83, 3D, 48, 1E, 42, 00, 00, 74, 05, E9, 66, 58, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7...
 
[+]

Code size:
83.5 KB (85,504 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:13828/

Local host port:
13828

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP):
Connects to w02.exctg.net  (62.4.0.162:80)

TCP (HTTP):
Connects to server-205-251-253-186.ind6.r.cloudfront.net  (205.251.253.186:80)

TCP (HTTP):
Connects to retarget.ca.dc.openx.org  (173.241.250.7:80)

TCP (HTTP):
Connects to raptr.com  (209.49.122.57:80)

TCP (HTTP):
Connects to lax02s19-in-f25.1e100.net  (74.125.224.121:80)

TCP (HTTP):
Connects to ec2-54-221-240-254.compute-1.amazonaws.com  (54.221.240.254:80)

TCP (HTTP):
Connects to corporat190-025210082.sta.etb.net.co  (190.25.210.82:80)

TCP (HTTP):
Connects to a96-17-68-114.deploy.akamaitechnologies.com  (96.17.68.114:80)

TCP (HTTP):
Connects to 87-237-11-34.powered-by.benesol.be  (87.237.11.34:80)

TCP (HTTP):
Connects to 50.97.37.221-static.reverse.softlayer.com  (50.97.37.221:80)

Remove re-markitfql158.exe - Powered by Reason Core Security