» fdf1bf47b3b45056592934d28672dbeafe2b49d248c068b8d833e2570b791dac
Overview
Analysis
File Details
Network (2)

fdf1bf47b3b45056592934d28672dbeafe2b49d248c068b8d833e2570b791dac

Kimahri Software inc.

This adware uses the Crossrider platform to build and distribute this web browser advertising injection extension. Once installed in the browser it will hijack various browser settings (homepage, search) and may interfere and track behaviors as well as deliver ads. The file fdf1bf47b3b45056592934d28672dbeafe2b49d248c068b8d833e2570b791dac by Kimahri Software inc has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.

File name:

Publisher:

Kimahri Software inc. (signed and verified)

Version:

1.34.5.4

MD5:

5683cf91cd4d7a0a1b453db24a41ff7f

SHA-1:

e47a867acd602a37b2f6c0c66da38cfc2dcf1ffe

SHA-256:

fdf1bf47b3b45056592934d28672dbeafe2b49d248c068b8d833e2570b791dac

Scanner detections:

21 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:

4/24/2024 10:36:04 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.JS.Agent.AN

5654257

Agnitum Outpost

Riskware.VMDetector

7.1.1

AhnLab V3 Security

PUP/Win32.MulDrop

2015.06.04

Avira AntiVirus

ADWARE/CrossRider.Gen

8.3.1.6

avast!

Crossrider-EJ [PUP]

150602-1

AVG

Generic

2016.0.3089

Bkav FE

W32.HfsAdware

1.3.0.6379

Dr.Web

Trojan.Crossrider1.23056

9.0.1.05190

ESET NOD32

Win32/Packed.VMDetector.I potentially unwanted application

7.0.302.0

G Data

Win32.Application.Plush

15.6.25

K7 AntiVirus

Unwanted-Program

13.204.16137

Kaspersky

not-a-virus:WebToolbar.Win32.CroRi

15.0.0.543

Malwarebytes

PUP.Optional.CrossRider.A

v2015.06.04.09

MicroWorld eScan

Adware.JS.Agent.AM

16.0.0.465

NANO AntiVirus

Trojan.Win32.Crossrider1.drzbki

0.30.24.1636

Panda Antivirus

PUP/PlusHD

15.06.04.09

Quick Heal

PUA.Kimahrisof.Gen

6.15.14.00

Reason Heuristics

PUP.Brightcicrle.Installer.Brightcircle

15.6.4.9

Sophos

PUA 'AppRider' (of type Adware)

5.15

VIPRE Antivirus

Threat.4789396

40786

Zillya! Antivirus

Trojan.BlackGen.Win32.11

2.0.0.2205

File size:

6.5 MB (6,866,448 bytes)

Installer:

Nullsoft Install System

Language:

English (United States)

Digital Signature

Signed by:

Kimahri Software inc.

Authority:

COMODO CA Limited

Valid from:

3/7/2013 1:00:00 AM

Valid to:

3/7/2016 12:59:59 AM

Subject:

CN=Kimahri Software inc., O=Kimahri Software inc., STREET=666 Sherbrooke Rue w, L=Montreal, S=Quebec, PostalCode=H3A 1E7, C=CA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00A1BB8569950C0B2080A11A0E2F618B33

File PE Metadata

Compilation timestamp:

12/4/2012 2:55:02 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.22

CTPH (ssdeep):

196608:UzUY16Gz6sZbb0N7/Sed9QQnHdnGDme8Flug:GUY16A6sZbb2Ky9NHdGV8B

Entry address:

0x4323

Entry point:

55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 44, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 44, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 44, 00, 56, A3, 40, 3B, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 3B, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 44, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7... 
[+]

Entropy:

7.9980 (probably packed)

Code size:

34.5 KB (35,328 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to s3-website-us-east-1.amazonaws.com (54.231.14.140:80)

TCP (HTTP):

Connects to hwcdn.net (69.16.175.42:80)

Remove fdf1bf47b3b45056592934d28672dbeafe2b49d248c068b8d833e2570b791dac - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.