stormwatchsetup.exe

StormWatch

Local Weather LLC

Part of an adware web browser extension that delivers advertisements such as coupons, price-comparisons, display media, affiliate links, banners, popups/popunders and other links. The application stormwatchsetup.exe by Local Weather has been detected as adware by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from i.vertitechnologygroup.com.
Publisher:
Local Weather LLC  (signed and verified)

Product:
StormWatch

Version:
1.0.1.27

MD5:
3b0666cd999252c4f32adeb42662f78b

SHA-1:
e9956dc4f082d1580aaed77c94ee6eb49357174a

SHA-256:
d61613fe7e889c23b508f94c6d116c45fbb390a37410e179c2b49baada3842d1

Scanner detections:
3 / 68

Status:
Adware

Analysis date:
12/24/2024 1:44:23 AM UTC  (today)

Scan engine
Detection
Engine version

Malwarebytes
PUP.Optional.StormWatch.A
v2014.10.09.08

Reason Heuristics
PUP.Installer.LocalWeather.P
14.10.9.8

VIPRE Antivirus
Blinkx/SevereWeatherAlerts
33702

File size:
397 KB (406,504 bytes)

Product version:
1.0.1.27

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\stormwatchsetup.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
10/14/2013 3:00:00 AM

Valid to:
10/15/2014 2:59:59 AM

Subject:
CN=Local Weather LLC, O=Local Weather LLC, STREET="250 Park Ave #504", L=Minneapolis, S=MN, PostalCode=55415, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
1E363E3CA4E0B46A71B002CFAF51DED1

File PE Metadata
Compilation timestamp:
12/6/2009 1:52:06 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:uSoBjwW1mGGX8rj5ISS7oVJBHtztPEWrP2+XMZqQs3TDZgfIdy2+1pLp:caWgGO8BxUorBnEa2+XFTGkyVr

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 6F, 44, 00, E8, 09, 2C, 00, 00, A3, A4, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 2E, 44, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.7398

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file stormwatchsetup.exe has been seen being distributed by the following URL.

Remove stormwatchsetup.exe - Powered by Reason Core Security