» feven 1.1-helper.exe
Overview
Analysis
File Details
Network (4)

feven 1.1-helper.exe

Brightcircle Investments Limited

This web browser extension utilizes the Crossrider framework. The application feven 1.1-helper.exe by Brightcircle Investments Limited has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address ssl.hwcdn.net on port 80 using the HTTP protocol. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.

File name:

Publisher:

Brightcircle Investments Limited (signed and verified)

MD5:

09e790e16a89429e103d4f10199c511c

SHA-1:

a2056105355d6ab5a69ce413e7627eab215b4f5c

SHA-256:

176310e26e5af1d61e5fc1a4a840d90b44e3ea1bccfdf8fc8a96249c08003c6b

Scanner detections:

1 / 68

Status:

Adware

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

4/25/2024 4:59:04 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Brightcircle.BrightcircleInvestments (M)

16.2.4.0

File size:

328.4 KB (336,232 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\feven 1.1\feven 1.1-helper.exe

Digital Signature

Signed by:

Brightcircle Investments Limited

Authority:

GoDaddy.com, Inc.

Valid from:

3/8/2013 10:33:54 AM

Valid to:

3/8/2016 10:33:54 AM

Subject:

CN=Brightcircle Investments Limited, O=Brightcircle Investments Limited, L=Nicosia, S=Strovolos, C=CY

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

047F36483DC84C

File PE Metadata

Compilation timestamp:

11/10/2013 8:09:28 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

6144:pg4wqrKe20kMRy6iz8sTrlTkaTBoJ7qmWCV:i4wqOe20kMQ6iFlkaTeTRV

Entry address:

0x24FE4

Entry point:

E8, AE, B8, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 00, D6, 44, 00, E8, 46, 5B, 00, 00, E8, 31, 1D, 00, 00, 0F, B7, F0, 6A, 02, E8, 41, B8, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 42, 5B, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Code size:

240 KB (245,760 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to update.srvstatsdata.com (69.16.175.42:80)

TCP (HTTP):

Connects to ssl.hwcdn.net (205.185.208.11:80)

TCP (HTTP):

Connects to errors.srvstatsdata.com (208.85.150.249:80)

TCP (HTTP):

Connects to app-static.crossrider.com (69.16.175.10:80)

Remove feven 1.1-helper.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.