4975674a-3c50-4880-8d29-5b35a177af1c-9.exe

Kimahri Software inc.

This adware uses the Crossrider platform to build and distribute this web browser advertising injection extension. Once installed in the browser it will hijack various browser settings (homepage, search) and may interfere and track behaviors as well as deliver ads. The application 4975674a-3c50-4880-8d29-5b35a177af1c-9.exe by Kimahri Software inc has been detected as adware by 9 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
Kimahri Software inc.  (signed and verified)

MD5:
dd814bfabf18ad17bc33f179af149fd4

SHA-1:
8c1b8802c0ee283e1854db155678ba1e1d4102f5

SHA-256:
4afd1bf12ac88e9e6331eae973c6aea717b0786ab9614744b6adce3dd9aa8096

Scanner detections:
9 / 68

Status:
Adware

Analysis date:
12/24/2024 11:16:43 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win-PUP/CrossRider
2014.11.23

avast!
Win32:Crossrider-F [PUP]
2014.9-141216

AVG
Generic
2015.0.3258

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.1468

G Data
Win32.Application.Plush
14.6.24

Kaspersky
not-a-virus:WebToolbar.Win32.CroRi
14.0.0.2787

Panda Antivirus
PUP/PlusHD
14.06.08.01

Reason Heuristics
PUP.KimahriSoftwareinc.g
14.6.8.10

VIPRE Antivirus
Threat.4789396
30086

File size:
918.4 KB (940,392 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\plus-hd-9.5\4975674a-3c50-4880-8d29-5b35a177af1c-9.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
3/7/2013 1:00:00 AM

Valid to:
3/7/2016 12:59:59 AM

Subject:
CN=Kimahri Software inc., O=Kimahri Software inc., STREET=666 Sherbrooke Rue w, L=Montreal, S=Quebec, PostalCode=H3A 1E7, C=CA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A1BB8569950C0B2080A11A0E2F618B33

File PE Metadata
Compilation timestamp:
6/2/2014 6:36:36 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:YhcJWx4IzwTAZWiSb4oF3pSdDTzLEsYqsu4o:4yqVzhZo3pSdDTzLEsYzu4o

Entry address:
0x72E44

Entry point:
E8, 3E, 13, 01, 00, E9, 7F, FE, FF, FF, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 55, 8B, EC, E8, 0F, 00, 00, 00, 83, 7D, 08, 00, 74, 05, E8, 07, 1F, 01, 00, DB, E2, 5D, C3, B8, 09, 43, 48, 00, A3, 78, D8, 4C, 00, C7, 05, 7C, D8, 4C, 00, E9, 4B, 48, 00, C7, 05, 80, D8, 4C, 00, 78, 4C, 48, 00, C7, 05, 84, D8, 4C, 00, D0, 4C, 48, 00, C7, 05, 88, D8, 4C, 00, 53, 4D, 48, 00...
 
[+]

Code size:
574.5 KB (588,288 bytes)

Scheduled Task
Task name:
4975674a-3c50-4880-8d29-5b35a177af1c-9

Trigger:
Logon (Runs on logon)

Action:
4975674a-3c50-4880-8d29-5b35a177af1c-9.exe \errorsdomain='httC:\errors.datademoserv.com\util


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-184-168-221-56.ip.secureserver.net  (184.168.221.56:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.120.217:80)

TCP (HTTP):
Connects to ip-184-168-221-36.ip.secureserver.net  (184.168.221.36:80)

Remove 4975674a-3c50-4880-8d29-5b35a177af1c-9.exe - Powered by Reason Core Security