1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4.exe

Bright circle investments Ltd.

This adware utilizes the Crossrider extension platform and will inject advertisiments in the Internet browser and may modify core browser settings. Ads will be delivered as banners and contextual text-links and may promote other potentially unwanted software. The application 1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4.exe by Bright circle investments has been detected as adware by 17 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. While running, it connects to the Internet address ip-184-168-221-53.ip.secureserver.net on port 80 using the HTTP protocol. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
Plus-HD-V1.5  (signed by Bright circle investments Ltd.)

Product:
Plus-HD-V1.5

Description:
Plus-HD-V1.5 exe

Version:
1000.1000.1000.1000

MD5:
45a566edcab8fee7468f6dbebfbbbe61

SHA-1:
bfdaf7fd6781e41c605ba76e2e79d5c23b325e44

SHA-256:
761ea90bb59c887a781bb9b50451e21acf4054b8c5864d2b82337caf52c27922

Scanner detections:
17 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
11/27/2024 7:02:53 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Toolbar.CrossRider
7.1.1

Avira AntiVirus
Adware/CrossRider.A.11496
7.11.158.214

avast!
Win32:Adware-gen [Adw]
140617-1

Comodo Security
ApplicUnwnt
18804

ESET NOD32
Win32/Toolbar.CrossRider.AK potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/Toolbar_CrossRider
7/24/2014

K7 AntiVirus
Trojan
13.180.12643

McAfee
RDN/Generic PUP.x!cgr
5600.7059

NANO AntiVirus
Riskware.Win32.CrossRider.dbkpsg
0.28.0.60698

Panda Antivirus
Trj/OCJ.F
14.07.24.03

Qihoo 360 Security
Win32/Virus.Adware.440
1.0.0.1015

Reason Heuristics
PUP.Task.Brightcircleinvestments.g
14.7.17.9

Sophos
Generic PUA LP
4.98

Trend Micro House Call
ADW_CROSSRID
7.2.205

Trend Micro
ADW_CROSSRID
10.465.24

VIPRE Antivirus
Threat.4789396
31208

Zillya! Antivirus
Adware.AdLoad.Win32.94
2.0.0.1850

File size:
876.5 KB (897,520 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
Plus-HD-V1.5.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\plus-hd-v1.5\1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
6/19/2014 10:00:00 AM

Valid to:
6/20/2015 9:59:59 AM

Subject:
CN=Bright circle investments Ltd., O=Bright circle investments Ltd., STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EF90FEF9AC8E258E5D30D0E08C84D37E

File PE Metadata
Compilation timestamp:
6/20/2014 8:06:25 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:Pv7BHCyQ1oXvYCI6Yk6hUtHVhVxLH8fKLh3YPJXDgJ+kU64bFzCvdwXpTnFK:Pv7BHCbonr96UHVhVxLH8uPeP+QTw

Entry address:
0x8F28F

Entry point:
E8, 77, E3, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1, 04, A9, 00, 01, 01, 81, 74, E8, 8B, 41, FC, 84, C0, 74, 32, 84, E4, 74, 24, A9, 00, 00, FF, 00, 74, 13, A9, 00, 00, 00, FF, 74, 02, EB, CD, 8D, 41, FF, 8B, 4C, 24, 04, 2B, C1, C3, 8D, 41...
 
[+]

Entropy:
6.5533

Code size:
723.5 KB (740,864 bytes)

Scheduled Task
Task name:
1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4

Trigger:
Logon (Runs on logon)

Action:
1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4.exe \nnpqzal \tslqtz='plus-hd-v1.5' \pscfjxwe='C:\prog


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.10:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to ip-184-168-221-53.ip.secureserver.net  (184.168.221.53:80)

Remove 1a865e51-8d7f-47ac-a7cc-49d250e98ec8-4.exe - Powered by Reason Core Security