toolbar26706653.exe

Woolik technologies ltd

The application toolbar26706653.exe by Woolik technologies ltd has been detected as adware by 7 anti-malware scanners. This is a setup program which is used to install the application. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2txuyvgupvxmq.cloudfront.net.
Publisher:
Woolik technologies ltd  (signed and verified)

MD5:
ddaf09528ef4af5749438d50a54b5ad1

SHA-1:
9b55c5707a3c292ff4874e57022e83abb3969a6a

SHA-256:
39153db1a50879545f587d417b81456a93bf743f65b1e742e7ff9853e3020aa8

Scanner detections:
7 / 68

Status:
Adware

Analysis date:
12/24/2024 11:14:36 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.Clod004.Trojan
1.3.0.4415

Dr.Web
Adware.Babylon.14
9.0.1.0357

ESET NOD32
Win32/Toolbar.Babylon (variant)
7.9025

McAfee
Artemis!DDAF09528EF4
5600.7272

Reason Heuristics
PUP.Wooliktechnologiesltd.P
14.8.7.21

Trend Micro House Call
TROJ_GEN.F47V1017
7.2.357

Vba32 AntiVirus
suspected of Trojan.Downloader.gen
3.12.24.3

File size:
768 KB (786,456 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\toolbar26706653.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
7/25/2013 12:00:00 AM

Valid to:
7/25/2014 11:59:59 PM

Subject:
CN=Woolik technologies ltd, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Woolik technologies ltd, L=Or Yeuda, S=israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
233D2998915945A85914A5071B609336

File PE Metadata
Compilation timestamp:
7/31/2013 8:41:47 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:tjmiGTTvBSNmveWQXOF9DaJZjIMUMSn5EtVYfAW:tjmb/Tv9AOfwZUxMSn5eYYW

Entry address:
0x1C48

Entry point:
55, 8B, EC, 83, E4, F8, B8, 7C, 1A, 00, 00, E8, C8, 62, 00, 00, 53, 56, 33, DB, 57, 8D, 8C, 24, E0, 07, 00, 00, 88, 5C, 24, 0E, C6, 44, 24, 0F, 01, E8, FE, 1A, 00, 00, 53, 89, 9C, 24, 3C, 0A, 00, 00, 89, 9C, 24, 40, 0A, 00, 00, 89, 9C, 24, 44, 0A, 00, 00, C7, 84, 24, 48, 0A, 00, 00, 03, 00, 00, 00, FF, 94, 24, 20, 08, 00, 00, 8D, 8C, 24, E0, 07, 00, 00, 89, 84, 24, 34, 0A, 00, 00, E8, 6D, FA, FF, FF, 8D, 8C, 24, E0, 07, 00, 00, E8, DF, FA, FF, FF, 85, C0, 0F, 85, 05, 01, 00, 00, 8D, 44, 24, 10, 50, 8D, 8C...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
30 KB (30,720 bytes)

The file toolbar26706653.exe has been seen being distributed by the following URL.

http://d2txuyvgupvxmq.cloudfront.net/doko.exe

Remove toolbar26706653.exe - Powered by Reason Core Security