bsplayer264.1073.exe

Conduit Ltd.

The file belongs to the Conduit API platform, a utility that bundles and monetizes search toolbars and web browser extensions. The application bsplayer264.1073.exe by Conduit has been detected as a potentially unwanted program by 7 anti-malware scanners. The program is a setup application that uses the Conduit Setup Manager installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from download4.bsplayer.com and multiple other hosts. While running, it connects to the Internet address cms.distributionengine.conduit-services.com on port 80 using the HTTP protocol.
Publisher:
Conduit Ltd.  (signed and verified)

MD5:
d4fadfcd6370633173329ff932092055

SHA-1:
3ca0491e61030d7667809b8366cecc266baaad55

SHA-256:
1a2020807e43d11a380deeb6cb6c09a1c3213e237178fb4ed455a7e30f0e224c

Scanner detections:
7 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/27/2024 2:00:01 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Downware.933
9.0.1.0182

ESET NOD32
Win32/Toolbar.Conduit
8.10025

Malwarebytes
PUP.Optional.Conduit
v2014.07.01.03

Panda Antivirus
PUP/Conduit.A
14.07.01.03

Reason Heuristics
PUP.Conduit.P
14.8.7.22

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.14629

VIPRE Antivirus
Conduit
30838

File size:
1.2 MB (1,241,688 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Conduit Setup Manager (using Nullsoft Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\bsplayer264.1073.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
2/17/2010 4:00:00 AM

Valid to:
3/30/2013 3:59:59 AM

Subject:
CN=Conduit Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Conduit Ltd., S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3736DA15AF647632CCE61CD41B6577DD

File PE Metadata
Compilation timestamp:
2/24/2012 11:19:54 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:EoZ8TKf33MC3eRst5dRI7XaBShDxXl+h9h5eL3dRxtd:JEInuA5nIEaDVlsfa/d

Entry address:
0x3883

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, 92, 40, 00, FF, 15, 84, 81, 40, 00, 68, 4C, 92, 40, 00, 68, C0, AD, 46, 00, E8, 18, 27, 00, 00, FF, 15, B0, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
27.5 KB (28,160 bytes)

The file bsplayer264.1073.exe has been seen being distributed by the following 11 URLs.

http://download4.bsplayer.com/download_free_bsplayer.php?type=1

http://dw1.uptodown.com/dwn/CMmJEnX3wxduijQ0MmdNO6PTpYnQvbZPmjeFQReAvhLrucOGSyWLqrZOaDaaKWYZaC_SCPbXYQ9yIv6ccsWIAVb2Hp_JrJF6OgOnc3ny1loHCyEWPd5wdOcD0LBGwqQa/2BG7n68hRUKyTXnlReP-liC212aO_bNlq5aXIOYEghiY6ESexZzrlzj1o79zXIwn_gfgB5ZKL2EYlE36RE70T2TjW4xKPbUpF1w8L2BT28ab3LT3FaV6dXAQhQmetYVY/.../bsplayer-2-64-1073-es-en-br-fr-de-it-cn-jp-ar-ru-win.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ude.conduit-data.com  (195.78.120.173:80)

TCP (HTTP):

 
http://offering.service.distributionengine.conduit-services.com/DecisionEngine.ashx

TCP (HTTP):
Connects to cms.distributionengine.conduit-services.com  (54.243.251.51:80)

Remove bsplayer264.1073.exe - Powered by Reason Core Security