searchgoltb.exe

Woolik technologies ltd

The application searchgoltb.exe by Woolik technologies ltd has been detected as adware by 13 anti-malware scanners. This is a setup program which is used to install the application. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from media.opencandy.com and multiple other hosts.
Publisher:
Woolik technologies ltd  (signed and verified)

MD5:
4b5b56bbc4d472d52c03c7dc6c33026d

SHA-1:
22ea12e23878248febc79c3b7fd1fa8b91f03725

SHA-256:
8de3c86616bc8a3520c16a7a0f0c80bc12ace4265b2236a4cd97831415217e7e

Scanner detections:
13 / 68

Status:
Adware

Analysis date:
11/23/2024 6:41:18 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Trojan.Agent
7.1.1

AhnLab V3 Security
Adware/Win32.Toolbar
2013.10.30

Baidu Antivirus
Adware.Win32.Bbylon
4.0.3.1448

Bkav FE
W32.Clod96b.Trojan
1.3.0.4613

Comodo Security
Application.Win32.Babylon.aj
17450

Dr.Web
Adware.Babylon.10
9.0.1.0357

ESET NOD32
Win32/Toolbar.Babylon (variant)
7.9122

herdProtect (fuzzy)
2013.12.28.15

Malwarebytes
PUP.Optional.PCFixSpeed.A
v2013.12.23.12

NANO AntiVirus
Trojan.Win32.Babylon.csuksh
0.28.0.57630

Reason Heuristics
PUP.Wooliktechnologiesltd.L
14.8.7.21

Trend Micro House Call
TROJ_GEN.F47V1014
7.2.357

Vba32 AntiVirus
suspected of Trojan.Downloader.gen
3.12.24.3

File size:
717.4 KB (734,576 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\searchgoltb.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
7/25/2013 2:00:00 AM

Valid to:
7/26/2014 1:59:59 AM

Subject:
CN=Woolik technologies ltd, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Woolik technologies ltd, L=Or Yeuda, S=israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
233D2998915945A85914A5071B609336

File PE Metadata
Compilation timestamp:
6/16/2013 1:48:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:CsZfDKTlVxfweBSdVe6EnNvlQmJQX5ONBC+/1DFosuEyqQUMICbU6amf4Bnoofsu:CiGTTvBSNmveWQXOF9DaJZjIMUMSn5Ei

Entry address:
0x1595

Entry point:
55, 8B, EC, 83, E4, F8, 81, EC, 44, 0A, 00, 00, A1, 00, 50, 40, 00, 33, C4, 89, 84, 24, 40, 0A, 00, 00, 53, 56, 33, DB, 57, 8D, 74, 24, 10, 88, 5C, 24, 0E, C6, 44, 24, 0F, 01, E8, C3, 05, 00, 00, 53, 89, 9C, 24, 6C, 02, 00, 00, 89, 9C, 24, 70, 02, 00, 00, 89, 9C, 24, 74, 02, 00, 00, C7, 84, 24, 78, 02, 00, 00, 03, 00, 00, 00, FF, 54, 24, 50, 89, 84, 24, 64, 02, 00, 00, 8B, C6, E8, 07, FA, FF, FF, 3B, C3, 0F, 85, 1A, 01, 00, 00, 8D, 84, 24, 78, 02, 00, 00, 50, 8B, FE, E8, 2C, FF, FF, FF, 8B, F8, 3B, FB, 0F...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
12 KB (12,288 bytes)

The file searchgoltb.exe has been seen being distributed by the following 2 URLs.

Remove searchgoltb.exe - Powered by Reason Core Security