» 4504.exe
Overview
Analysis
File Details
Network (19)

4504.exe

CinemaP-1.9cV04.03

Blondie Project (Bright Circle Investments Ltd)

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application 4504.exe, “CinemaP-1.9cV04.03 exe” by Blondie Project (Bright Circle Investments) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address ip-184-168-221-47.ip.secureserver.net on port 80 using the HTTP protocol. It is distributed as part of the Brightcircle group of browser-extensions.

File name:

4504.exe

Publisher:

Cinema PlusV04.03 (signed by Blondie Project (Bright Circle Investments Ltd))

Product:

CinemaP-1.9cV04.03

Description:

CinemaP-1.9cV04.03 exe

Version:

1000.1000.1000.1000

MD5:

8c0e92c5fb432311ad113940000070bc

SHA-1:

89981ab2c98e49befc083fd28d62088874ae4f66

SHA-256:

f37f1d607517e18e4f8a2946507e3deb06ada5186ac298ee32498dcbad4a2755

Scanner detections:

1 / 68

Status:

Adware

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

4/23/2024 6:24:33 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Adware.BrightCircle.BlondieProjectBrightCircleInvestments (M)

16.3.1.2

File size:

1.4 MB (1,419,736 bytes)

Product version:

1000.1000.1000.1000

Original file name:

CinemaP-1.9cV04.03.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\4504.exe

Digital Signature

Signed by:

Blondie Project (Bright Circle Investments Ltd)

Authority:

COMODO CA Limited

Valid from:

12/16/2014 7:00:00 AM

Valid to:

12/17/2015 6:59:59 AM

Subject:

CN=Blondie Project (Bright Circle Investments Ltd), O=Blondie Project (Bright Circle Investments Ltd), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

0903CC287C7EEA81D3C21DBB234D320C

File PE Metadata

Compilation timestamp:

3/4/2015 6:07:13 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:bIgqFpwAp8pLcPxfDaoxIjtc9igMrJXpIWi8IATRpSPNCyJJxvV2RXqKOqr97l:bIgfSpRiVJ+bATRpSPjJJV2pqKOE97l

Entry address:

0xBF91D

Entry point:

E8, 31, FE, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 58, D9, 53, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 58, A1, 53, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 58, D9, 53, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8... 
[+]

Entropy:

6.4855

Code size:

950 KB (972,800 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ip-184-168-221-47.ip.secureserver.net (184.168.221.47:80)

TCP (HTTP):

Connects to ip-50-63-202-62.ip.secureserver.net (50.63.202.62:80)

TCP (HTTP):

Connects to ec2-54-235-70-136.compute-1.amazonaws.com (54.235.70.136:80)

TCP (HTTP):

Connects to server-52-84-16-236.sea32.r.cloudfront.net (52.84.16.236:80)

TCP (HTTP):

Connects to server-54-239-132-130.sfo9.r.cloudfront.net (54.239.132.130:80)

TCP (HTTP):

Connects to server-52-85-83-48.lax1.r.cloudfront.net (52.85.83.48:80)

TCP (HTTP):

Connects to server-52-85-83-180.lax1.r.cloudfront.net (52.85.83.180:80)

TCP (HTTP):

Connects to server-52-84-16-53.sea32.r.cloudfront.net (52.84.16.53:80)

TCP (HTTP):

Connects to server-52-85-83-75.lax1.r.cloudfront.net (52.85.83.75:80)

TCP (HTTP):

Connects to server-52-85-83-17.lax1.r.cloudfront.net (52.85.83.17:80)

TCP (HTTP):

Connects to server-52-85-83-143.lax1.r.cloudfront.net (52.85.83.143:80)

TCP (HTTP):

Connects to server-52-85-83-102.lax1.r.cloudfront.net (52.85.83.102:80)

TCP (HTTP):

Connects to server-52-85-83-101.lax1.r.cloudfront.net (52.85.83.101:80)

TCP (HTTP):

Connects to server-52-84-22-165.sea32.r.cloudfront.net (52.84.22.165:80)

TCP (HTTP):

Connects to ec2-54-243-171-118.compute-1.amazonaws.com (54.243.171.118:80)

TCP (HTTP):

Connects to ec2-23-23-251-76.compute-1.amazonaws.com (23.23.251.76:80)

TCP (HTTP):

Connects to ec2-23-23-196-129.compute-1.amazonaws.com (23.23.196.129:80)

TCP (HTTP):

Connects to ec2-23-23-100-24.compute-1.amazonaws.com (23.23.100.24:80)

TCP (HTTP):

Connects to ec2-23-21-174-210.compute-1.amazonaws.com (23.21.174.210:80)

Remove 4504.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.