home

4c7d9f47-8186-4362-9bc8-2636ef05d9a7-11.exe

HD-V1.9

Evangelion Group

This potentially unwanted Internet browser extension is built upon and distributed using the free Crossrider platform and will deliver advertisements to the web browser in various formats such as banner, text hyper-links, inline text and transitional ads. The application 4c7d9f47-8186-4362-9bc8-2636ef05d9a7-11.exe by Evangelion Group has been detected as adware by 19 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. While running, it connects to the Internet address wifi.free.fr on port 443. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
InfoHD-V1.8  (signed by Evangelion Group)

Product:
HD-V1.9

Description:
HD-V1.9 exe

Version:
1000.1000.1000.1000

MD5:
34bb9d37b0e48d8927ad6fcd9b085aa3

SHA-1:
0a41cdc72c6caab45e8e747dfedfff7038555c18

SHA-256:
9d41f8a6db6c32dff041d0be3c5d45c227d57fd8a6c130a78d49c03e4a2b0789

Scanner detections:
19 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage). Distributed through the Brightcircle investments brand.

Analysis date:
4/27/2024 12:17:31 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Kazy.374062
906

Avira AntiVirus
Adware/Kazy.374062.40
7.11.166.236

AVG
Generic
2015.0.3384

Bitdefender
Gen:Variant.Adware.Kazy.374062
1.0.20.1125

Emsisoft Anti-Malware
Gen:Variant.Adware.Kazy.374062
8.14.08.13.08

ESET NOD32
Win32/Toolbar.CrossRider.AK potentially unwanted application
8.7.0.302.0

Fortinet FortiGate
Adware/Adwapper
10/24/2014

F-Secure
Gen:Variant.Adware.Kazy.374062
11.2014-13-08_4

G Data
Gen:Variant.Adware.Kazy.374062
14.8.24

herdProtect (fuzzy)
variant of 5094d061-c583-4133-81cb-dff004a43396-11.exe (Adware)
2014.10.24.21

Kaspersky
not-a-virus:AdWare.NSIS.Adwapper
14.0.0.3413

Malwarebytes
PUP.Optional.InfoHD.A
v2014.08.13.08

McAfee
Trojan.Artemis!AB0A3D274955
5600.6967

MicroWorld eScan
Gen:Variant.Adware.Kazy.374062
15.0.0.675

Panda Antivirus
Trj/Genetic.gen
14.08.13.08

Qihoo 360 Security
HEUR/Malware.QVM10.Gen
1.0.0.1015

Reason Heuristics
PUP.EvangelionGroup.h
14.8.13.7

Sophos
Generic PUA FB
4.98

VIPRE Antivirus
Threat.4789396
32210

File size:
1.9 MB (1,971,568 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
HD-V1.9.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\hd-v1.9\4c7d9f47-8186-4362-9bc8-2636ef05d9a7-11.exe

Digital Signature
Signed by:
Evangelion Group

Authority:
COMODO CA Limited

Valid from:
7/28/2014 7:00:00 AM

Valid to:
7/29/2015 6:59:59 AM

Subject:
CN=Evangelion Group, O=Evangelion Group, STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0095E2A1168FF10F1D56CF5FFE4ABC7450

File PE Metadata
Compilation timestamp:
8/12/2014 8:20:58 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
49152:w1gEuItgrCl2h4oamDvkUck5fWpSx7DTHFYUzn+nPRxa:w1NuJrCl2h4o17kUFld

Entry address:
0xEB354

Entry point:
E8, 3A, 00, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 6D, 01, 01, 00, 3B, 30, 7C, 07, E8, 64, 01, 01, 00, 8B, 30, E8, 57, 01, 01, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 60, 5F, 00, 00, 8B, F0, 85, F6, 75, 07, B8, 40, 37, 55, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 7A, 31, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, 40, 37, 55, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, D1, ED...
 
[+]

Entropy:
6.8665

Code size:
1.1 MB (1,144,832 bytes)

Scheduled Task
Task name:
4c7d9f47-8186-4362-9bc8-2636ef05d9a7-11

Path:
C:\WINDOWS\Tasks\4c7d9f47-8186-4362-9bc8-2636ef05d9a7-11.job

Trigger:
Logon (Runs on logon)

Action:
4c7d9f47-8186-4362-9bc8-2636ef05d9a7-11.exe \rawdata=r\tu+hg7jw4irddoecirhmiy7w30tnt9oi0hx\uqh


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP SSL):
Connects to wifi.free.fr  (212.27.40.236:443)

Remove 4c7d9f47-8186-4362-9bc8-2636ef05d9a7-11.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.