air857a.exe

Id-Vqzoz

BadFinger Project (BrightCircle Investments Limited)

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application air857a.exe by BadFinger Project (BrightCircle Investments Limited) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Nullsoft Install System installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.airdlr7.com. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
Agnhfkxnallms & co.  (signed by BadFinger Project (BrightCircle Investments Limited))

Product:
Id-Vqzoz

Description:
Temuuybka

Version:
23.12.19.21

MD5:
065c33ebb6b901524a66ec338adc65c9

SHA-1:
f9189f100d4702fc5ab6e36191e1881d08aeac90

SHA-256:
aaa2a0bb7e28d246fa994c18c5e31ad0b35a043e11d9d99da172f261744622d5

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 2:03:26 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.BrightCircle.Agnhfkxn.Installer (M)
16.3.11.6

File size:
13.5 MB (14,205,056 bytes)

Copyright:
Copyright Zdbigavawx

Trademarks:
Vqzoz is a trademark of Lzksggqmw

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\air857a.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
11/17/2014 1:00:00 AM

Valid to:
11/18/2015 12:59:59 AM

Subject:
CN=BadFinger Project (BrightCircle Investments Limited), O=BadFinger Project (BrightCircle Investments Limited), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
6623FAFCAC357577A31D90C1E567E9A7

File PE Metadata
Compilation timestamp:
12/4/2012 2:55:11 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
393216:1WWG2cM3nj1OOgfX+HWU1Of3B/Zpw9QAsx:wWGbMz1DgfXPUM3BBCBI

Entry address:
0x412D

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 73, 45, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 74, 45, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 74, 45, 00, 56, A3, F4, E7, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8B, 3B, 00, 00, A3, 50, E8, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A9, B2, 40, 00, FF, 15, AC, 74, 45, 00, 83, EC, 14, C7, 44, 24, 04, AA, B2, 40, 00, C7...
 
[+]

Code size:
33.5 KB (34,304 bytes)

The file air857a.exe has been seen being distributed by the following URL.

Remove air857a.exe - Powered by Reason Core Security