» c5c12794-0d0c-490a-b2fc-355908af37be-6.exe
Overview
Analysis
File Details
Behaviors (1)
Network (3)

c5c12794-0d0c-490a-b2fc-355908af37be-6.exe

TheTorntv V10

Arod Group (BrightCircle Investments Limited)

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application c5c12794-0d0c-490a-b2fc-355908af37be-6.exe, “TheTorntv V10 exe” by Arod Group (BrightCircle Investments Limited) has been detected as adware by 20 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.

File name:

Publisher:

esc (signed by Arod Group (BrightCircle Investments Limited))

Product:

TheTorntv V10

Description:

TheTorntv V10 exe

Version:

1000.1000.1000.1000

MD5:

ca15e279c19d70033826d8db35eef817

SHA-1:

ae6724447d623eade2fc4aa78c20db4c2ef9e3cb

SHA-256:

214f70e6ec55978d1df437c8a366b2b0e2ae06a7e53a3c7c3b3d4be163dbb9cb

Scanner detections:

20 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:

4/26/2024 1:12:18 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Application.Heur.nz1@k4SX3Wfi

804

AhnLab V3 Security

PUP/Win32.CrossRider

2014.11.21

Avira AntiVirus

ADWARE/CrossRider.Gen4

7.11.187.214

Baidu Antivirus

PUA.Win32.CrossRider

4.0.3.141122

Bitdefender

Gen:Application.Heur.nz1@k4SX3Wfi

1.0.20.1630

ESET NOD32

Win32/Toolbar.CrossRider.AY (variant)

8.10755

Fortinet FortiGate

Riskware/CrossRider

11/22/2014

F-Prot

W32/A-865d81b8

v6.4.7.1.166

F-Secure

Gen:Application.Heur.nz1@k4SX3Wfi

11.2014-22-11_7

G Data

Gen:Application.Heur.nz1@k4SX3Wfi

14.11.24

IKARUS anti.virus

Trojan.GoogUpdate

t3scan.1.8.3.0

Malwarebytes

PUP.Optional.TornTV.A

v2014.11.22.04

McAfee

Artemis!CA15E279C19D

5600.6938

MicroWorld eScan

Gen:Application.Heur.nz1@k4SX3Wfi

15.0.0.978

Panda Antivirus

Trj/Genetic.gen

14.11.22.04

Qihoo 360 Security

Win32/Application.641

1.0.0.1015

Reason Heuristics

PUP.Crossrider.Task.g

14.11.22.16

Sophos

Generic PUA KO

4.98

Trend Micro House Call

Suspicious_GEN.F47V1119

7.2.335

VIPRE Antivirus

Crossrider

34964

File size:

1.2 MB (1,269,208 bytes)

Product version:

1000.1000.1000.1000

Original file name:

TheTorntv V10.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\thetorntv v10\c5c12794-0d0c-490a-b2fc-355908af37be-6.exe

Digital Signature

Signed by:

Arod Group (BrightCircle Investments Limited)

Authority:

COMODO CA Limited

Valid from:

11/16/2014 6:00:00 PM

Valid to:

11/17/2015 5:59:59 PM

Subject:

CN=Arod Group (BrightCircle Investments Limited), O=Arod Group (BrightCircle Investments Limited), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

2E8AFF90B80D6850112E322E12C15E12

File PE Metadata

Compilation timestamp:

11/18/2014 2:37:22 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:eHmvNsW6axdrI1PtBo38UZ8WjIS2Ou/jzT8pS0FcBP8P:bLC1PtBI3ZwT8pS0Cp8P

Entry address:

0xA4706

Entry point:

E8, 59, 01, 01, 00, E9, 00, 00, 00, 00, 6A, 14, 68, C8, 7F, 50, 00, E8, B4, 76, 00, 00, E8, 86, 53, 00, 00, 0F, B7, F0, 6A, 02, E8, EC, 00, 01, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, FD, 8D, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

6.4242

Code size:

817 KB (836,608 bytes)

Scheduled Task

Task name:

c5c12794-0d0c-490a-b2fc-355908af37be-6

Trigger:

Logon (Runs on logon)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ip-50-63-202-55.ip.secureserver.net (50.63.202.55:80)

TCP (HTTP):

Connects to s3-website-us-east-1.amazonaws.com (54.231.121.41:80)

TCP (HTTP):

Connects to ip-50-63-202-54.ip.secureserver.net (50.63.202.54:80)

Remove c5c12794-0d0c-490a-b2fc-355908af37be-6.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.