runonce.exe

Tibaco internet media B.V.

The application runonce.exe by Tibaco internet media B.V has been detected as a potentially unwanted program by 3 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from webgameplayer.tibaco.net and multiple other hosts.
Publisher:
Tibaco internet media B.V.  (signed and verified)

MD5:
b656fe3f4983ee4d4bf743215e52ad78

SHA-1:
eccfbe8a9c7f499b1b3b5a66bdee146d54488761

SHA-256:
d54a522f08f563e8e201ea78968e4c55d371cdd3d6d774b7a002dbf6270cd017

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/16/2024 1:28:58 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.GameVance.130
9.0.1.0197

Reason Heuristics
PUP.GameVance (M)
15.7.16.17

Trend Micro House Call
HV_ZYX_CA0838A1.TOMC
7.2.197

File size:
212.1 KB (217,144 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\runonce.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
10/12/2011 1:00:00 AM

Valid to:
11/10/2012 11:59:59 PM

Subject:
CN=Tibaco internet media B.V., O=Tibaco internet media B.V., L=Eindhoven, S=Noord-Brabant, C=NL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
4424B13DB47435EE567C0BD7B189D979

File PE Metadata
Compilation timestamp:
3/6/2012 8:49:56 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.21

CTPH (ssdeep):
6144:oLL+7nszWx1bRtYFCT2SGrsYITje+K/2O/q52F2fouEP3hHlAi4:XnsSx1NtYFCT2SGrsYITje+K+O/q502H

Entry address:
0x12B0

Entry point:
55, 89, E5, 83, EC, 18, C7, 04, 24, 02, 00, 00, 00, FF, 15, 74, 95, 42, 00, E8, 38, FD, FF, FF, 90, 8D, B4, 26, 00, 00, 00, 00, 55, 89, E5, 83, EC, 08, A1, A4, 95, 42, 00, C9, FF, E0, 66, 90, 55, 89, E5, 83, EC, 08, A1, 8C, 95, 42, 00, C9, FF, E0, 90, 90, 55, 89, E5, 83, EC, 08, C6, 05, 5F, 40, 42, 00, 01, 83, 3D, 60, 40, 42, 00, 00, 74, 10, A1, 60, 40, 42, 00, 89, 04, 24, E8, 5D, 4D, 01, 00, 83, EC, 04, 83, 3D, 64, 40, 42, 00, 00, 74, 10, A1, 64, 40, 42, 00, 89, 04, 24, E8, 44, 4D, 01, 00, 83, EC, 04, 83...
 
[+]

Code size:
115 KB (117,760 bytes)

The file runonce.exe has been seen being distributed by the following 10 URLs.

http://webgameplayer.tibaco.net/111/.../ancient_jewels.exe

http://webgameplayer.tibaco.net/111/.../super_mario_flash_1.exe

http://webgameplayer.tibaco.net/111/.../takeover.exe

http://webgameplayer.tibaco.net/111/.../stick_war.exe

http://webgameplayer.tibaco.net/111/.../boxhead_2_play.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-79-125-21-198.eu-west-1.compute.amazonaws.com  (79.125.21.198:80)

Remove runonce.exe - Powered by Reason Core Security