re-markitmg172.exe

The application re-markitmg172.exe has been detected as adware by 16 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 13830 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. This is part of the Revizer line of web browser extensions that inject 3rd-party advertisements in the user's web browser as well as setup a proxy server for the browser in order to track behaviors and display context based-ads from various partners (mostly adware).
MD5:
5fffd5ad02114530b17a7edf9692799b

SHA-1:
2eb9dacb6ec9569b2b8d9f01ce7a06d168668375

SHA-256:
052bcd30e27f61ea733447903fa04bd7f6db5ccd00dd2025acab4b3fd1a25776

Scanner detections:
16 / 68

Status:
Adware

Analysis date:
12/25/2024 5:53:14 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.AddLyrics.11
922

avast!
Win32:Adware-BSL [PUP]
2014.9-140728

AVG
Generic5
2015.0.3400

Baidu Antivirus
Adware.Win32.AddLyrics
4.0.3.14728

Bitdefender
Gen:Variant.Adware.AddLyrics.11
1.0.20.1045

Comodo Security
ApplicUnwnt
18736

Emsisoft Anti-Malware
Gen:Variant.Adware.AddLyrics.11
8.14.07.28.01

ESET NOD32
Win32/AdWare.AddLyrics.AQ (variant)
8.10031

Fortinet FortiGate
Riskware/AddLyrics
7/28/2014

F-Secure
Gen:Variant.Adware.AddLyrics.11
11.2014-28-07_2

G Data
Gen:Variant.Adware.AddLyrics.11
14.7.24

Kaspersky
not-a-virus:HEUR:AdWare.Win32.Agent
14.0.0.3495

MicroWorld eScan
Gen:Variant.Adware.AddLyrics.11
15.0.0.627

Reason Heuristics
Adware.Revizer.Remarkit.O
14.6.9.14

Trend Micro House Call
Suspicious_GEN.F47V0625
7.2.209

VIPRE Antivirus
Trojan.Win32.Generic
30874

File size:
175.5 KB (179,712 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\re-markit-soft\re-markitmg172.exe

File PE Metadata
Compilation timestamp:
6/5/2014 7:12:41 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
11.0

CTPH (ssdeep):
3072:Z8zcvi+/PQxHk7+RaeBM+3ysF3OeEIa6w:Z88ihxk+GYeeEIa6w

Entry address:
0xDD6D

Entry point:
E8, D6, 66, 00, 00, E9, 7B, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, A4, 3C, 42, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, 10, 2E, 42, 00, 01, 0F, 82, BB, 67, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA...
 
[+]

Entropy:
6.4053

Code size:
94 KB (96,256 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:13830/

Local host port:
13830

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to we-in-f94.1e100.net  (173.194.66.94:443)

TCP (HTTP SSL):
Connects to mrs02s05-in-f10.1e100.net  (173.194.35.106:443)

TCP (HTTP SSL):
Connects to mrs02s05-in-f1.1e100.net  (173.194.35.97:443)

TCP (HTTP SSL):
Connects to mrs02s04-in-f23.1e100.net  (173.194.39.55:443)

TCP (HTTP SSL):
Connects to fa-in-f95.1e100.net  (173.194.70.95:443)

TCP (HTTP SSL):
Connects to fa-in-f84.1e100.net  (173.194.70.84:443)

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP SSL):
Connects to db3msgr6010805.gateway.messenger.live.com  (157.56.192.34:443)

TCP (HTTP):
Connects to data20.websupport.sk  (37.9.168.19:80)

TCP (HTTP):
Connects to a184-26-162-43.deploy.static.akamaitechnologies.com  (184.26.162.43:80)

TCP (HTTP SSL):
Connects to a184-25-162-161.deploy.static.akamaitechnologies.com  (184.25.162.161:443)

Remove re-markitmg172.exe - Powered by Reason Core Security