wikithemes.exe

Internet Widgits Pty Ltd

The application wikithemes.exe by Internet Widgits Pty has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WikiThemes’. While running, it connects to the Internet address 192.58.155.104.bc.googleusercontent.com on port 443.
Publisher:
Internet Widgits Pty Ltd  (signed and verified)

MD5:
434ee25d6e35a462ecc3616a1e68f84d

SHA-1:
5a966cc89931a0892cc16658f8912b8782c80fcf

SHA-256:
88d0bb37e9028675337418a2d4b5dcf2cb130efd0ba943dc283a6343f7caca11

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/23/2024 1:22:09 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.2.19.18

File size:
45.6 MB (47,853,920 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\wikithemes\wikithemes.exe

Digital Signature
Authority:
Internet Widgits Pty Ltd

Valid from:
11/14/2016 12:36:30 PM

Valid to:
11/12/2026 12:36:30 PM

Subject:
CN=WikiThemes, O=Internet Widgits Pty Ltd, S=Some-State, C=US

Issuer:
CN=WikiThemes, O=Internet Widgits Pty Ltd, S=Some-State, C=US

Serial number:
00BFAB17CFDB648FE9

File PE Metadata
Compilation timestamp:
1/14/2017 7:33:31 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C99451

Entry point:
E8, 9A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, B8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, B8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, B8, EC, 02, 02, 74, 21, 6A, 17, E8, C9, 2D, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Code size:
34.9 MB (36,635,648 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WikiThemes

Command:
C:\users\{user}\appdata\roaming\wikithemes\wikithemes.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ec2-34-199-175-29.compute-1.amazonaws.com  (34.199.175.29:443)

TCP (HTTP SSL):
Connects to 192.58.155.104.bc.googleusercontent.com  (104.155.58.192:443)

TCP (HTTP SSL):
Connects to serverel.com  (109.206.161.3:443)

TCP (HTTP):
Connects to prod-hzeu-exebid-lba-1.dca-ops.tech  (136.243.131.50:80)

TCP (HTTP SSL):
Connects to ndata02.adlooxtracking.com  (149.202.93.237:443)

TCP (HTTP SSL):
Connects to mypersonalfinancestoday.com  (77.245.58.157:443)

TCP (HTTP SSL):
Connects to ec2-52-202-66-241.compute-1.amazonaws.com  (52.202.66.241:443)

TCP (HTTP SSL):
Connects to ec2-52-14-181-12.us-east-2.compute.amazonaws.com  (52.14.181.12:443)

TCP (HTTP SSL):
Connects to ec2-50-17-205-213.compute-1.amazonaws.com  (50.17.205.213:443)

TCP (HTTP SSL):
Connects to ec2-34-250-3-121.eu-west-1.compute.amazonaws.com  (34.250.3.121:443)

TCP (HTTP SSL):
Connects to ec2-184-169-179-91.us-west-1.compute.amazonaws.com  (184.169.179.91:443)

TCP (HTTP SSL):
Connects to data22.adlooxtracking.com  (137.74.93.121:443)

TCP (HTTP SSL):
Connects to 25.8.148.146.bc.googleusercontent.com  (146.148.8.25:443)

TCP (HTTP SSL):
Connects to 169.23.187.35.bc.googleusercontent.com  (35.187.23.169:443)

TCP (HTTP SSL):
Connects to ds-usa-abl-2.itftd.com  (158.69.117.176:443)

TCP (HTTP SSL):
Connects to ndata01.adlooxtracking.com  (149.202.93.236:443)

Remove wikithemes.exe - Powered by Reason Core Security