uethfsenea.exe

TV Time

Ratio Applications

This is part of an adware program designed to inject advertising in the web browser (banners, text-links) as well as modify the normal behavior of the browser. Part of the Injekt brand of unwanted programs. The application uethfsenea.exe by Ratio Applications has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “ueThfSENea”.
Publisher:
Ratio Applications  (signed and verified)

Product:
TV Time

Description:
TVTime Service

Version:
1.0.0.0

MD5:
f79b97b99457f60c73c6dc174fdc9988

SHA-1:
2eb597308d828c8dd9be0b34e11ad7b804e1517e

SHA-256:
e56ac72aee1fabe15c0f9e63fe72326fdbe5d881ce9627e7590a9ee08476f082

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
11/15/2024 2:30:23 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Injekt (M)
17.2.20.12

File size:
2.2 MB (2,317,664 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Ratio Applications 2014

Original file name:
TVTimeService.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\ProgramData\lcyljmbvxir\uethfsenea.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/31/2014 5:00:00 PM

Valid to:
4/1/2015 4:59:59 PM

Subject:
CN=Ratio Applications, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ratio Applications, L=St. James, S=St. James, C=BB

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
352ECA57D8FB6A999A86A031DD989803

File PE Metadata
Compilation timestamp:
10/10/2014 12:56:03 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

Entry address:
0x23598E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9995

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
2.2 MB (2,308,608 bytes)

Service
Display name:
ueThfSENea

Type:
Win32OwnProcess

Depends on:
Winmgmt CryptSvc


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-54-246-181-97.eu-west-1.compute.amazonaws.com  (54.246.181.97:80)

Remove uethfsenea.exe - Powered by Reason Core Security