» 1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11.exe
Overview
Analysis
File Details
Behaviors (1)
Network (5)

1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11.exe

Bright circle investments Ltd.

This adware utilizes the Crossrider extension platform and will inject advertisiments in the Internet browser and may modify core browser settings. Ads will be delivered as banners and contextual text-links and may promote other potentially unwanted software. The application 1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11.exe by Bright circle investments has been detected as adware by 23 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. While running, it connects to the Internet address ip-184-168-221-53.ip.secureserver.net on port 80 using the HTTP protocol. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.

File name:

Publisher:

Plus-HD-V1.5 (signed by Bright circle investments Ltd.)

Product:

Plus-HD-V1.5

Description:

Plus-HD-V1.5 exe

Version:

1000.1000.1000.1000

MD5:

0b13c2941482032329588898cabc1d31

SHA-1:

6f062002fd4c5d02f5cfa40e9d24638a394f954f

SHA-256:

857412d30a58936160aab9e8d7c32ff14854644ef8cea6b441e4329f393d032b

Scanner detections:

23 / 68

Status:

Adware

Explanation:

May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:

4/25/2024 8:29:07 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Kazy.374062

925

Agnitum Outpost

PUA.Toolbar.CrossRider

7.1.1

Avira AntiVirus

Adware/CrossRider.A.11433

7.11.158.50

Bitdefender

Gen:Variant.Adware.Kazy.374062

1.0.20.1025

Clam AntiVirus

Win.Adware.Agent-7312

0.98/19185

Comodo Security

ApplicUnwnt

18744

Emsisoft Anti-Malware

Gen:Variant.Adware.Kazy.374062

8.14.07.24.02

ESET NOD32

Win32/Toolbar.CrossRider.AK potentially unwanted application

7.0.302.0

Fortinet FortiGate

Riskware/Toolbar_CrossRider

7/24/2014

F-Secure

Gen:Variant.Adware.Kazy.374062

11.2014-24-07_5

G Data

Gen:Variant.Adware.Kazy.374062

14.7.24

IKARUS anti.virus

Win32.SuspectCrc

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.180.12598

McAfee

Artemis!0B13C2941482

5600.7059

MicroWorld eScan

Gen:Variant.Adware.Kazy.374062

15.0.0.615

NANO AntiVirus

Riskware.Win32.AdLoad.dbjxuu

0.28.0.60577

Panda Antivirus

Trj/OCJ.F

14.07.24.02

Qihoo 360 Security

Win32/Virus.Adware.c3a

1.0.0.1015

Reason Heuristics

PUP.Task.Brightcircleinvestments.h

14.7.17.9

Sophos

Generic PUA GP

4.98

Trend Micro House Call

ADW_CROSSRID

7.2.205

Trend Micro

ADW_CROSSRID

10.465.24

VIPRE Antivirus

Threat.4789396

31208

File size:

1.9 MB (1,968,112 bytes)

Product version:

1000.1000.1000.1000

Original file name:

Plus-HD-V1.5.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\plus-hd-v1.5\1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11.exe

Digital Signature

Signed by:

Bright circle investments Ltd.

Authority:

COMODO CA Limited

Valid from:

6/19/2014 10:00:00 AM

Valid to:

6/20/2015 9:59:59 AM

Subject:

CN=Bright circle investments Ltd., O=Bright circle investments Ltd., STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00EF90FEF9AC8E258E5D30D0E08C84D37E

File PE Metadata

Compilation timestamp:

6/20/2014 8:07:13 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:v+/wG5Ngg0flrHdQJQCcJb6pMuuEPcopSRp+TgUzn+nPRxt:2oqjklrHdQJ36b6pMbh

Entry address:

0xEBF64

Entry point:

E8, 44, 00, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 77, 01, 01, 00, 3B, 30, 7C, 07, E8, 6E, 01, 01, 00, 8B, 30, E8, 61, 01, 01, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 60, 5F, 00, 00, 8B, F0, 85, F6, 75, 07, B8, C0, 30, 55, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 7A, 31, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, C0, 30, 55, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, DB, ED... 
[+]

Entropy:

6.8698

Code size:

1.1 MB (1,143,296 bytes)

Scheduled Task

Task name:

1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11

Trigger:

Logon (Runs on logon)

Action:

1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11.exe \xwfcmrok=ogbkyu+m+xlrpnzfaad9anbptqfadtiy3el8fx4j

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ip-184-168-221-53.ip.secureserver.net (184.168.221.53:80)

TCP (HTTP):

Connects to s3-website-us-east-1.amazonaws.com (52.216.1.42:80)

TCP (HTTP):

Connects to tlb.hwcdn.net (69.16.175.10:80)

Remove 1a865e51-8d7f-47ac-a7cc-49d250e98ec8-11.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.