wikithemes.exe

Internet Widgits Pty Ltd

The application wikithemes.exe by Internet Widgits Pty has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WikiThemes’. While running, it connects to the Internet address nova.rambler.ru on port 443.
Publisher:
Internet Widgits Pty Ltd  (signed and verified)

MD5:
193087aef4de93bdfe1bb318eaaff4a7

SHA-1:
01546646aad32fd6dfac2d0099dde4f804b136ac

SHA-256:
978021a3933279017c8380aad08e2a82aca4c11ce116f9986f104facb05db489

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/24/2024 1:30:24 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.3.10.11

File size:
45.3 MB (47,492,160 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\wikithemes\wikithemes.exe

Digital Signature
Authority:
Internet Widgits Pty Ltd

Valid from:
11/14/2016 6:36:30 PM

Valid to:
11/12/2026 6:36:30 PM

Subject:
CN=WikiThemes, O=Internet Widgits Pty Ltd, S=Some-State, C=US

Issuer:
CN=WikiThemes, O=Internet Widgits Pty Ltd, S=Some-State, C=US

Serial number:
00BFAB17CFDB648FE9

File PE Metadata
Compilation timestamp:
2/17/2017 6:17:08 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C9A083

Entry point:
E8, 98, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, A7, 20, 00, 00, 85, C0, 74, 08, 6A, 16, E8, 6A, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, 97, 24, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A7, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 14, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8868

Code size:
34.9 MB (36,637,696 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WikiThemes

Command:
C:\users\{user}\appdata\roaming\wikithemes\wikithemes.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to upload-lb.ulsfo.wikimedia.org  (198.35.26.112:443)

TCP (HTTP SSL):
Connects to text-lb.ulsfo.wikimedia.org  (198.35.26.96:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.sg3.yahoo.com  (106.10.162.43:443)

TCP (HTTP):
Connects to ec2-54-221-206-77.compute-1.amazonaws.com  (54.221.206.77:80)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.ir2.yahoo.com  (217.12.15.96:443)

TCP (HTTP):
Connects to ec2-75-101-133-248.compute-1.amazonaws.com  (75.101.133.248:80)

TCP (HTTP SSL):
Connects to t6-ha.ycpi.sgb.yahoo.com  (119.161.11.151:443)

TCP (HTTP SSL):
Connects to IP-118-215.MCS.internet.exchange  (119.110.118.215:443)

TCP (HTTP SSL):
Connects to 85.243.178.107.bc.googleusercontent.com  (107.178.243.85:443)

TCP (HTTP SSL):
Connects to ec2-54-154-194-232.eu-west-1.compute.amazonaws.com  (54.154.194.232:443)

TCP (HTTP):
Connects to ec2-107-22-247-81.compute-1.amazonaws.com  (107.22.247.81:80)

TCP (HTTP SSL):
Connects to t4-ha.ycpi.sgb.yahoo.com  (119.161.10.151:443)

TCP (HTTP SSL):
Connects to server-54-192-202-97.fra50.r.cloudfront.net  (54.192.202.97:443)

TCP (HTTP SSL):
Connects to nova.rambler.ru  (81.19.82.28:443)

TCP (HTTP SSL):
Connects to IP-118-166.MCS.internet.exchange  (119.110.118.166:443)

TCP (HTTP SSL):
Connects to ifn.com  (205.207.0.107:443)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to ec2-54-197-238-140.compute-1.amazonaws.com  (54.197.238.140:80)

TCP (HTTP SSL):
Connects to ec2-52-48-217-100.eu-west-1.compute.amazonaws.com  (52.48.217.100:443)

TCP (HTTP SSL):
Connects to ec2-52-35-108-147.us-west-2.compute.amazonaws.com  (52.35.108.147:443)

Remove wikithemes.exe - Powered by Reason Core Security