plushd-v1.9-nova.exe

PlusHD-V1.9

Bright circle investments Ltd.

This adware utilizes the Crossrider extension platform and will inject advertisiments in the Internet browser and may modify core browser settings. Ads will be delivered as banners and contextual text-links and may promote other potentially unwanted software. The application plushd-v1.9-nova.exe by Bright circle investments has been detected as adware by 18 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. While running, it connects to the Internet address ip-50-63-202-55.ip.secureserver.net on port 80 using the HTTP protocol. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
PlusHDv1.9  (signed by Bright circle investments Ltd.)

Product:
PlusHD-V1.9

Description:
PlusHD-V1.9 exe

Version:
1000.1000.1000.1000

MD5:
31531edf2488994e240e5d26a8db2588

SHA-1:
64251de33b8b8cece3f4e296b03d6dddc9587951

SHA-256:
540be3d807e223d79a2f503d1adab0e187cb3549437cc668e58f8706d50d65be

Scanner detections:
18 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage). Distributed through the Brightcircle investments brand.

Analysis date:
11/24/2017 3:48:01 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.145947
949

Agnitum Outpost
PUA.Toolbar.CrossRider
7.1.1

AhnLab V3 Security
PUP/Win32.Toolbar
2014.07.05

Avira AntiVirus
Adware/CrossRider.A.15107
7.11.158.148

AVG
Adware Generic_r
2015.0.3366

Bitdefender
Gen:Variant.Graftor.145947
1.0.20.910

Comodo Security
ApplicUnwnt
18771

Emsisoft Anti-Malware
Gen:Variant.Graftor.145947
8.14.07.01.04

ESET NOD32
Win32/Toolbar.CrossRider.AE potentially unwanted application
8.7.0.302.0

G Data
Gen:Variant.Graftor.145947
14.7.24

McAfee
Artemis!E23D26ECF20D
5600.7022

McAfee Web Gateway
Artemis!E23D26ECF20D
7.7022

MicroWorld eScan
Gen:Variant.Graftor.145947
15.0.0.546

NANO AntiVirus
Riskware.Win32.AdLoad.dbswkd
0.28.0.60577

Panda Antivirus
Trj/Genetic.gen
14.07.01.04

Reason Heuristics
PUP.Task.Brightcircleinvestments.P
14.7.17.9

VIPRE Antivirus
Threat.4789396
31208

File size:
598.1 KB (612,408 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2016

Original file name:
PlusHD-V1.9.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\plushd-v1.9\plushd-v1.9-nova.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
6/20/2014 3:00:00 AM

Valid to:
6/21/2015 2:59:59 AM

Subject:
CN=Bright circle investments Ltd., O=Bright circle investments Ltd., STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
4347D0F2AD67F1767C932B3BFBEA7713

File PE Metadata
Compilation timestamp:
6/27/2014 1:04:52 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:OKARyle2S+kESEdGynP+ftw7dpTkmUIz1Kq:z8ylXf9jHTRUe1P

Entry address:
0x46F99

Entry point:
E8, 57, DF, 00, 00, E9, 03, 00, 00, 00, CC, CC, CC, 6A, 14, 68, D8, D2, 47, 00, E8, DE, 4E, 00, 00, E8, 9A, 29, 00, 00, 0F, B7, F0, 6A, 02, E8, E7, DE, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 9A, 67, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00...
 
[+]

Entropy:
6.3265

Code size:
425 KB (435,200 bytes)

Scheduled Task
Task name:
e29193b0-b61f-4d86-ada8-6277dd849368-7

Trigger:
Logon (Runs on logon)

Action:
plushd-v1.9-nova.exe \bwwze='plushd-v1.9' \qhwatmw=59570 \scxets='00172


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-50-63-202-56.ip.secureserver.net  (50.63.202.56:80)

TCP (HTTP):
Connects to ip-50-63-202-55.ip.secureserver.net  (50.63.202.55:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (52.216.225.226:80)

Remove plushd-v1.9-nova.exe - Powered by Reason Core Security