wartune.exe

KORAM GAMES LIMITED

The application wartune.exe by KORAM GAMES LIMITED has been detected as a potentially unwanted program by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from static.koramgame.com.
Publisher:
KORAM GAMES LIMITED  (signed and verified)

MD5:
15d2fe1687cc433631ccf02bc7d4f4d7

SHA-1:
c5052bfc9fb3a6a403443118d5aeb279eedab847

SHA-256:
41fa6ebfe3d8bf870d3479f1321e97b6ad386398fa4f7df3f497284694cdfeb8

Scanner detections:
4 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/24/2024 9:54:59 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.HfsAdware
1.3.0.7383

Dr.Web
Adware.Downware.11043
9.0.1.0320

Reason Heuristics
Win32.Generic.KORAMGAMES.Installer.Meta
15.11.16.12

VIPRE Antivirus
InstallCore
44956

File size:
1.4 MB (1,477,032 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\wartune.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
11/7/2012 4:00:00 PM

Valid to:
1/7/2014 3:59:59 PM

Subject:
CN=KORAM GAMES LIMITED, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=KORAM GAMES LIMITED, L=HongKong, S=HongKong, C=HK

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6DE680510AEC828B17AC57B14D7A0CE3

File PE Metadata
Compilation timestamp:
9/26/2011 6:21:28 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:Pg7usEgMx/IxDCsr6iYSvSOYUOd+HTPf8+vGJdBbIuU3nETVOrcV2rt5+ZAWG/+8:k1Ehx/I1UJsYZgOTG93wVO4V2rtwSWjA

Entry address:
0x3883

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, 92, 40, 00, FF, 15, 84, 81, 40, 00, 68, 4C, 92, 40, 00, 68, C0, AD, 46, 00, E8, 18, 27, 00, 00, FF, 15, B0, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.9844

Packer / compiler:
Nullsoft install system v2.x

Code size:
27.5 KB (28,160 bytes)

The file wartune.exe has been seen being distributed by the following URL.

Remove wartune.exe - Powered by Reason Core Security