wunderweb_ad.exe

WunderWeb

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application wunderweb_ad.exe by WunderWeb has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from d3d6wi7c7pa6m0.cloudfront.net.
Publisher:
WunderWeb  (signed and verified)

MD5:
1b6cd7b6d5a46421ec82c48a404ec9cb

SHA-1:
5f74abe2da7f38d4ee21ea7477f9b93b4cc29935

SHA-256:
d9013596188a85b33b38f03198fa183ef4ae778d3550753c6d4ffffef0e3bde7

Scanner detections:
4 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/23/2024 11:55:17 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

ESET NOD32
Win32/BrowseFox
8.8944

Reason Heuristics
PUP.WunderWeb.M
14.8.8.0

SUPERAntiSpyware
Trojan.Agent/Gen-BHO
10794

VIPRE Antivirus
Trojan.Win32.Generic
22592

File size:
171.1 KB (175,224 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\wunderweb_ad.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
8/13/2013 10:00:00 AM

Valid to:
8/14/2015 9:59:59 AM

Subject:
CN=WunderWeb, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WunderWeb, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
766C8ED1334566AB295138A99FE038D9

File PE Metadata
Compilation timestamp:
12/6/2009 9:50:41 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:BLk395hYXJsCKwH86enEVSVbJm9anH7l1m/GqMHJGULv:BQqDKWIEANwYnH7nm/G/Hc

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8686

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file wunderweb_ad.exe has been seen being distributed by the following URL.

Remove wunderweb_ad.exe - Powered by Reason Core Security