» c01208e4-b2ad-40c1-9810-40447884a00b-9.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

c01208e4-b2ad-40c1-9810-40447884a00b-9.exe

Kimahri Software inc.

This adware uses the Crossrider platform to build and distribute this web browser advertising injection extension. Once installed in the browser it will hijack various browser settings (homepage, search) and may interfere and track behaviors as well as deliver ads. The application c01208e4-b2ad-40c1-9810-40447884a00b-9.exe by Kimahri Software inc has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is distributed as part of the Brightcircle group of browser-extensions.

File name:

Publisher:

Kimahri Software inc. (signed and verified)

MD5:

350a6b3cfbdc36020341340a823cd850

SHA-1:

f0ce634fa2794756f0bd1bfc174f65b06517b2cd

SHA-256:

c07368ee84499faa0a372f74a1bebe7e59aaff334fad7d0485921aa0ffd3915d

Scanner detections:

1 / 68

Status:

Adware

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

4/26/2024 5:52:01 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Brightcicrle.Brightcircle (M)

16.3.1.9

File size:

918.4 KB (940,392 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\plus-hd-9.5\c01208e4-b2ad-40c1-9810-40447884a00b-9.exe

Digital Signature

Signed by:

Kimahri Software inc.

Authority:

COMODO CA Limited

Valid from:

3/6/2013 7:00:00 PM

Valid to:

3/6/2016 6:59:59 PM

Subject:

CN=Kimahri Software inc., O=Kimahri Software inc., STREET=666 Sherbrooke Rue w, L=Montreal, S=Quebec, PostalCode=H3A 1E7, C=CA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00A1BB8569950C0B2080A11A0E2F618B33

File PE Metadata

Compilation timestamp:

6/2/2014 11:36:36 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:YhcJWx4IzwTAZWiSb4oF3pSdDTzLEsYqsu4L:4yqVzhZo3pSdDTzLEsYzu4L

Entry address:

0x72E44

Entry point:

E8, 3E, 13, 01, 00, E9, 7F, FE, FF, FF, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 55, 8B, EC, E8, 0F, 00, 00, 00, 83, 7D, 08, 00, 74, 05, E8, 07, 1F, 01, 00, DB, E2, 5D, C3, B8, 09, 43, 48, 00, A3, 78, D8, 4C, 00, C7, 05, 7C, D8, 4C, 00, E9, 4B, 48, 00, C7, 05, 80, D8, 4C, 00, 78, 4C, 48, 00, C7, 05, 84, D8, 4C, 00, D0, 4C, 48, 00, C7, 05, 88, D8, 4C, 00, 53, 4D, 48, 00... 
[+]

Code size:

574.5 KB (588,288 bytes)

Scheduled Task

Task name:

c01208e4-b2ad-40c1-9810-40447884a00b-9

Trigger:

Logon (Runs on logon)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ip-184-168-221-56.ip.secureserver.net (184.168.221.56:80)

TCP (HTTP):

Connects to ip-184-168-221-36.ip.secureserver.net (184.168.221.36:80)

Remove c01208e4-b2ad-40c1-9810-40447884a00b-9.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.