home

yahoo_w3i.exe

Offer Broker

W3i, LLC

Part of an InstallX (InstallIQ) installation, a PUP that may bundle additional adware on the computer. The application yahoo_w3i.exe, “Offer Broker Process” by W3i has been detected as adware by 5 anti-malware scanners. The file has been seen being downloaded from cdn.4b1d720e.softiappspeed.com.
Publisher:
InstallX, LLC  (signed by W3i, LLC)

Product:
Offer Broker

Description:
Offer Broker Process

Version:
2.0.8.0

MD5:
194ad96e978a3e0793a50d6372bb16f5

SHA-1:
113ec341646724e8808aed0d7d9c5546d7bf1186

SHA-256:
10e6cc6e6a8d7453638aceaac04375d00e836af892d8e3482044b1d9f9e3266e

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Uses the InstallIQ (by InstallX) software bundler that may include toolbars and other browser extensions offers.

Analysis date:
12/26/2024 8:10:19 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.OfferBroker
2014.10.06

ESET NOD32
Win32/InstallIQ (variant)
8.10516

Malwarebytes
PUP.Optional.OfferBroker.A
v2014.10.07.10

Reason Heuristics
PUP.W3i.J
14.10.7.10

File size:
939.7 KB (962,216 bytes)

Product version:
2.0.8.0

Copyright:
Copyright (C) 2013 InstallX, LLC. All rights reserved.

Original file name:
Installer.OfferBroker

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\yahoo_w3i.exe

Digital Signature
Signed by:
W3i, LLC

Authority:
VeriSign, Inc.

Valid from:
6/19/2011 1:00:00 AM

Valid to:
7/2/2013 12:59:59 AM

Subject:
CN="W3i, LLC", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="W3i, LLC", L=Sartell, S=Minnesota, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6A5D73F262C38BBD4578AB6AD713318D

File PE Metadata
Compilation timestamp:
3/19/2013 3:37:41 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:gadi0f+wu99xTI29AVwfvaxgsB14TFxT+u:gaLfE99aEfvaH1MTD

Entry address:
0x250C3

Entry point:
E8, EB, B7, 00, 00, E9, 78, FE, FF, FF, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1, 04, A9, 00, 01, 01, 81, 74, E8, 8B, 41, FC, 84, C0, 74, 32, 84, E4, 74, 24, A9, 00, 00, FF, 00, 74, 13, A9, 00, 00, 00, FF, 74, 02, EB, CD, 8D, 41, FF, 8B, 4C, 24, 04, 2B, C1, C3, 8D, 41, FE, 8B, 4C, 24...
 
[+]

Entropy:
6.7231

Code size:
696 KB (712,704 bytes)

The file yahoo_w3i.exe has been seen being distributed by the following URL.

http://cdn.4b1d720e.softiappspeed.com/files/.../Yahoo_w3i.exe

Remove yahoo_w3i.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.