» cbqvmspqg.exe
Overview
Analysis
File Details
Network (3)

cbqvmspqg.exe

Shop and Save Up

BadFinger Project (BrightCircle Investments Limited)

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application cbqvmspqg.exe, “Shop and Save Up Installer” by BadFinger Project (BrightCircle Investments Limited) has been detected as adware by 25 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.

File name:

cbqvmspqg.exe

Publisher:

InstallMonetizer (signed by BadFinger Project (BrightCircle Investments Limited))

Product:

Shop and Save Up

Description:

Shop and Save Up Installer

Version:

1.36.01.22

MD5:

f3cdb65d5aac91a4adb3d5a6d7f1a76e

SHA-1:

1e71de773c324fda0977c9609b790e56262d365f

SHA-256:

5ca8aa010e16942c3b3079956f5cd95d3587e4e6394b816fa8e13411789e533c

Scanner detections:

25 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:

4/24/2024 7:23:04 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Application.Parj.1

603

Agnitum Outpost

PUA.Toolbar.CrossRider

7.1.1

AhnLab V3 Security

PUP/Win32.CrossRider

2015.06.10

Avira AntiVirus

ADWARE/CrossRider.Gen

8.3.1.6

AVG

Crossrider

2016.0.3081

Bkav FE

W32.HfsAdware

1.3.0.6379

Dr.Web

Trojan.Crossrider1.22993

9.0.1.0162

ESET NOD32

Win32/Toolbar.CrossRider.BM potentially unwanted (variant)

9.11759

Fortinet FortiGate

Riskware/CrossRider

6/11/2015

G Data

Script.Application.Plush

15.6.25

K7 AntiVirus

Unwanted-Program

13.204.16188

Kaspersky

not-a-virus:AdWare.NSIS.Adwapper

14.0.0.1902

Malwarebytes

PUP.Optional.ShopAndSave.A

v2015.06.11.02

McAfee

Artemis!853487593E69

5600.6737

MicroWorld eScan

Gen:Application.Parj.1

16.0.0.486

Panda Antivirus

PUP/Icinema

15.06.11.02

Qihoo 360 Security

HEUR/QVM20.1.Malware.Gen

1.0.0.1015

Quick Heal

PUA.Badfingerp.Gen

6.15.14.00

Reason Heuristics

Adware.BrightCircle.Installer

15.6.11.10

Sophos

Generic PUA KM

4.98

Trend Micro House Call

ADW_CROSSRIDER

7.2.162

Trend Micro

ADW_CROSSRIDER

10.465.11

Vba32 AntiVirus

suspected of Trojan.Downloader.gen.h

3.12.26.4

VIPRE Antivirus

Crossrider

40974

Zillya! Antivirus

Trojan.BlackGen.Win32.11

2.0.0.2215

File size:

9.8 MB (10,248,840 bytes)

File type:

Executable application (Win32 EXE)

Installer:

Nullsoft Install System

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\cbqvmspqg.exe

Digital Signature

Signed by:

BadFinger Project (BrightCircle Investments Limited)

Authority:

COMODO CA Limited

Valid from:

11/17/2014 1:00:00 AM

Valid to:

11/18/2015 12:59:59 AM

Subject:

CN=BadFinger Project (BrightCircle Investments Limited), O=BadFinger Project (BrightCircle Investments Limited), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

6623FAFCAC357577A31D90C1E567E9A7

File PE Metadata

Compilation timestamp:

12/4/2012 2:55:02 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.22

CTPH (ssdeep):

196608:r4lMq1EBUd2XYcGObI1pZdqfd0/hB+EwpEGjCQkxeZD4acrgNNcE8hOxsoYXgjZx:r4uM26jdrh459CT00xgNNT80Tvj4dw

Entry address:

0x4323

Entry point:

55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 44, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 44, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 44, 00, 56, A3, 40, 3B, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 3B, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 44, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7... 
[+]

Code size:

34.5 KB (35,328 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to s3-website-us-east-1.amazonaws.com (54.231.10.20:80)

TCP (HTTP):

Connects to hwcdn.net (69.16.175.42:80)

TCP (HTTP):

Connects to ec2-107-20-178-133.compute-1.amazonaws.com (107.20.178.133:80)

Remove cbqvmspqg.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.