wrex.exe

Sapodilla Ltd

The application wrex.exe by Sapodilla has been detected as adware by 13 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘shopperz’. While running, it connects to the Internet address server-52-84-63-118.ord51.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Sapodilla Ltd  (signed and verified)

Version:
1.0.0.3

MD5:
bafcd7272747050754133debcf7a6c42

SHA-1:
2b56001dedc5594125495575edaf96ceacff0244

SHA-256:
c8b659f6ff7780a43262a52afc2ce27930021739b9cc58e384bfe527b61384ad

Scanner detections:
13 / 68

Status:
Adware

Analysis date:
11/25/2024 5:41:34 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.160428
687

Agnitum Outpost
PUA.Toolbar.Perion
7.1.1

Avira AntiVirus
TR/Graftor.429368
7.11.195.126

Bitdefender
Gen:Variant.Graftor.160428
1.0.20.390

Emsisoft Anti-Malware
Gen:Variant.Graftor.160428
8.15.03.19.01

ESET NOD32
Win32/Toolbar.Perion (variant)
9.10876

Fortinet FortiGate
Riskware/Perion
3/19/2015

F-Secure
Gen:Variant.Graftor.160428
11.2015-19-03_5

G Data
Gen:Variant.Graftor.160428
15.3.24

Malwarebytes
PUP.Optional.Pitaya
v2015.03.19.01

MicroWorld eScan
Gen:Variant.Graftor.160428
16.0.0.234

Reason Heuristics
PUP.Startup.Bitcocktail
15.3.12.7

VIPRE Antivirus
Trojan.Win32.Generic
35728

File size:
420.4 KB (430,456 bytes)

Product version:
1.0.0.3

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\shopperz\wrex.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
1/28/2015 5:37:16 AM

Valid to:
1/29/2016 5:37:16 AM

Subject:
CN=Sapodilla Ltd, O=Sapodilla Ltd, L=Hod Hasharon, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121449121483F5C10A1D21935F061A75AD5

File PE Metadata
Compilation timestamp:
3/11/2015 5:25:55 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:AmoASFFZUAwNAKPe7Gh0RyazFLrTORTmFcpHRTJ9P/y4:AmoFzeArGh0FF237Tfy4

Entry address:
0x260EF

Entry point:
E8, 9C, 79, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 83, 3D, B0, 09, 45, 00, 01, 72, 5F, 0F, B6, 44, 24, 08, 8B, D0, C1, E0, 08, 0B, D0, 66, 0F, 6E, DA, F2, 0F, 70, DB, 00, 0F, 16, DB, 8B, 54, 24, 04, B9, 0F, 00, 00, 00, 83, C8, FF, 23, CA, D3, E0, 2B, D1, F3, 0F, 6F, 0A, 66, 0F, EF, D2, 66, 0F, 74, D1, 66, 0F, 74, CB, 66, 0F, EB, D1, 66, 0F, D7, CA, 23, C8, 75, 08, 83, C8, FF, 83, C2, 10, EB, DC, 0F, BC, C1, 03, C2, 66, 0F, 7E, DA, 33, C9, 3A, 10, 0F, 45, C1, C3, 33, C0, 8A, 44, 24, 08, 53...
 
[+]

Entropy:
5.9918

Code size:
243.5 KB (249,344 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
shopperz

Command:
C:\Program Files\shopperz\wrex.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-150-109.sin2.r.cloudfront.net  (54.230.150.109:80)

TCP (HTTP):
Connects to server-54-192-55-210.jfk6.r.cloudfront.net  (54.192.55.210:80)

TCP (HTTP):
Connects to server-54-192-55-16.jfk6.r.cloudfront.net  (54.192.55.16:80)

TCP (HTTP):
Connects to server-54-192-55-110.jfk6.r.cloudfront.net  (54.192.55.110:80)

TCP (HTTP):
Connects to server-54-230-150-58.sin2.r.cloudfront.net  (54.230.150.58:80)

TCP (HTTP):
Connects to server-54-230-150-56.sin2.r.cloudfront.net  (54.230.150.56:80)

TCP (HTTP):
Connects to server-54-192-123-84.dfw50.r.cloudfront.net  (54.192.123.84:80)

TCP (HTTP):
Connects to server-52-85-221-70.cdg50.r.cloudfront.net  (52.85.221.70:80)

TCP (HTTP):
Connects to server-52-84-63-118.ord51.r.cloudfront.net  (52.84.63.118:80)

TCP (HTTP):
Connects to server-52-84-174-48.gru50.r.cloudfront.net  (52.84.174.48:80)

TCP (HTTP):
Connects to server-52-84-174-135.gru50.r.cloudfront.net  (52.84.174.135:80)

Remove wrex.exe - Powered by Reason Core Security