ReversePage.BOAS.exe

Reverse Page

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application ReversePage.BOAS.exe, “ReversePage.BOAS.exe” by Reverse Page has been detected as adware by 40 anti-malware scanners. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. While running, it connects to the Internet address server-54-230-182-3.icn50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Reverse Page  (signed and verified)

Description:
ReversePage.BOAS.exe

Version:
1.0.0.1

MD5:
21504bc1d79100336e8a9c89f920a978

SHA-1:
fe4434fa61de53233f66e37324bc0fc75f54b964

SHA-256:
eb0ef428ad594838fb0a3b44463ce23ac18ec163dd556cfdbefb73b1d3491d80

Scanner detections:
40 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/25/2024 6:04:11 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.BrowseFox.BQ
6358706

Agnitum Outpost
Win32.Sality.FA.Gen
7.1.1

AhnLab V3 Security
Win32/Kashu.E
2014.10.13

Avira AntiVirus
TR/Trash.Gen
7.11.30.172

avast!
Win32:Adware-CCC [PUP]
150101-1

AVG
Win32/Sality
2016.0.3227

Baidu Antivirus
Virus.Win32.Sality.$Emu
4.0.3.15116

Bitdefender
Win32.Sality.3
1.0.20.80

Bkav FE
W32.Sality.PE
1.3.0.4959

Clam AntiVirus
Win.Adware.Agent-22623
0.98/19934

Dr.Web
Trojan.BPlug.280
9.0.1.05190

Emsisoft Anti-Malware
Adware.BrowseFox.BQ
9.0.0.4799

ESET NOD32
Win32/BrowseFox.R potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/BrowseFox
1/16/2015

F-Prot
W32/Sality.gen2
v6.4.6.5.141

F-Secure
Adware.BrowseFox.BQ
5.13.68

G Data
Win32.Sality
15.1.24

IKARUS anti.virus
AdWare.MPlug
t3scan.1.7.8.0

K7 AntiVirus
Virus
13.183.13642

Kaspersky
Packed.Win32.Krap
14.0.0.2632

Malwarebytes
v2015.01.16.12

McAfee
Trojan.Artemis!21504BC1D791
16.8.708.2

Microsoft Security Essentials
Threat.Undefined
1.185.3018.0

MicroWorld eScan
Win32.Sality.3
16.0.0.48

NANO AntiVirus
Virus.Win32.Sality.bzkem
0.28.2.62483

Norman
Gen:Variant.Adware.Graftor.158883
03.12.2014 13:20:04

nProtect
Win32.Sality.3
14.10.12.01

Panda Antivirus
W32/Sality.AA
15.01.16.12

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Quick Heal
W32.Sality.U
1.15.14.00

Reason Heuristics
PUP.Yontoo
15.2.5.12

Sophos
Mal/Sality-D
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Nullo[Short]
10112

Total Defense
Win32/Sality.AA
37.0.11224

Trend Micro House Call
PE_SALITY.ER
7.2.16

Trend Micro
PE_SALITY.ER
10.465.16

Vba32 AntiVirus
Virus.Win32.Sality.bakb
3.12.26.3

VIPRE Antivirus
Threat.4734158
33706

ViRobot
Win32.Sality.N
2011.4.7.4223

Zillya! Antivirus
Virus.Sality.Win32.20
2.0.0.1953

File size:
1.7 MB (1,791,224 bytes)

Product version:
1.0.0.1

Original file name:
ReversePage.BOAS.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\reverse page\bin\reversepage.boas.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
11/20/2014 12:00:00 AM

Valid to:
11/20/2015 11:59:59 PM

Subject:
CN=Reverse Page, O=Reverse Page, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
49B8C5928FD288CB8DBC7B5824AC1BF6

File PE Metadata
Compilation timestamp:
1/15/2015 1:06:36 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:aZ30sBqTwk9WyiQRzRe0sjZCtzw2UxZOA//48Y1dO7b0em+Vm2IC5GDuesJmtWV:q38TbW0RNAjwtzw2UxZOA//4+bs0m2Io

Entry address:
0x107789

Entry point:
E8, CA, 72, 00, 00, E9, 89, FE, FF, FF, 3B, 0D, B8, 3E, 58, 00, 75, 02, F3, C3, E9, 51, 73, 00, 00, 8B, 41, 04, 85, C0, 75, 05, B8, E8, C6, 55, 00, C3, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 57, 8B, F9, 74, 2D, 56, FF, 75, 08, E8, 7A, 38, 00, 00, 8D, 70, 01, 56, E8, 1C, 06, 00, 00, 59, 59, 89, 47, 04, 85, C0, 74, 11, FF, 75, 08, 56, 50, E8, 17, 74, 00, 00, 83, C4, 0C, C6, 47, 08, 01, 5E, 5F, 5D, C2, 04, 00, 8B, FF, 56, 8B, F1, 80, 7E, 08, 00, 74, 09, FF, 76, 04, E8, FB, 09, 00, 00, 59, 83, 66, 04, 00, C6, 46...
 
[+]

Code size:
1.2 MB (1,263,104 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-182-3.icn50.r.cloudfront.net  (54.230.182.3:80)

TCP (HTTP):
Connects to nrt04s10-in-f25.1e100.net  (173.194.117.185:80)

TCP (HTTP):
Connects to mpr2.ngd.vip.sg3.yahoo.com  (106.10.198.32:80)

TCP (HTTP):
Connects to float.1178.bm-impbus.prod.sin1.adnexus.net  (103.243.222.63:80)

TCP (HTTP):
Connects to float.1171.bm-impbus.prod.sin1.adnexus.net  (103.243.222.35:80)

TCP (HTTP):

TCP (HTTP):
Connects to ec2-54-243-57-129.compute-1.amazonaws.com  (54.243.57.129:80)

TCP (HTTP):

TCP (HTTP):
Connects to ec2-54-148-234-219.us-west-2.compute.amazonaws.com  (54.148.234.219:80)

TCP (HTTP):
Connects to a173-223-227-8.deploy.static.akamaitechnologies.com  (173.223.227.8:80)

Remove ReversePage.BOAS.exe - Powered by Reason Core Security