72adc4fb-6293-4a4b-a6cc-4fa0a475afe3-1-7.exe

CinemaPlus-3.2cV21.05

Digit Network (Extreme White Limited)

The application 72adc4fb-6293-4a4b-a6cc-4fa0a475afe3-1-7.exe, “CinemaPlus-3.2cV21.05 exe” by Digit Network (Extreme White Limited) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address sage.parklogic.com on port 80 using the HTTP protocol.
Publisher:
Cinema PlusV21.05  (signed by Digit Network (Extreme White Limited))

Product:
CinemaPlus-3.2cV21.05

Description:
CinemaPlus-3.2cV21.05 exe

Version:
1000.1000.1000.1000

MD5:
44f791fc29d42d82c87819939fedf55b

SHA-1:
1d87c71b35d423adac1e715271bdfe1cc27a2fb1

SHA-256:
9fd28319dd7f6d0a3721b15e9705ef5b4f689f837a43580dc9a847b491abbd9e

Scanner detections:
1 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
8/21/2018 9:14:18 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Crossrider (M)
16.10.13.1

File size:
1.1 MB (1,187,920 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
CinemaPlus-3.2cV21.05.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\cinemaplus-3.2cv21.05\72adc4fb-6293-4a4b-a6cc-4fa0a475afe3-1-7.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/15/2015 2:00:00 AM

Valid to:
4/15/2016 1:59:59 AM

Subject:
CN=Digit Network (Extreme White Limited), O=Digit Network (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F39F5E5096779B72822CF8381166A432

File PE Metadata
Compilation timestamp:
5/21/2015 9:04:48 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:cXcnVjlxxDSFYYKHuW+x3e0P76ugVY6bg9Zk2rspSm+xT9k:cXcnVjlxxDSpmij69Ym8spSm+xT9k

Entry address:
0x9FA0B

Entry point:
E8, CC, 00, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 0C, 57, 85, C9, 0F, 84, 92, 00, 00, 00, 56, 53, 8B, D9, 8B, 74, 24, 14, F7, C6, 03, 00, 00, 00, 8B, 7C, 24, 10, 75, 0B, C1, E9, 02, 0F, 85, 85, 00, 00, 00, EB, 27, 8A, 06, 83, C6, 01, 88, 07, 83, C7, 01, 83, E9, 01, 74, 2B, 84, C0, 74, 2F, F7, C6, 03, 00, 00, 00, 75, E5, 8B, D9, C1, E9, 02, 75, 61, 83, E3, 03, 74, 13, 8A, 06, 83, C6, 01, 88, 07, 83, C7, 01, 84, C0, 74, 37, 83, EB, 01, 75, ED, 8B, 44, 24, 10, 5B...
 
[+]

Code size:
804 KB (823,296 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to sage.parklogic.com  (69.39.236.56:80)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.90:80)

TCP (HTTP):
Connects to ip-184-168-221-50.ip.secureserver.net  (184.168.221.50:80)

Remove 72adc4fb-6293-4a4b-a6cc-4fa0a475afe3-1-7.exe - Powered by Reason Core Security