bsplayer265.1074.exe

Conduit Ltd.

The file belongs to the Conduit API platform, a utility that bundles and monetizes search toolbars and web browser extensions. The application bsplayer265.1074.exe by Conduit has been detected as a potentially unwanted program by 8 anti-malware scanners. The program is a setup application that uses the Conduit Setup Manager installer. The file has been seen being downloaded from static.lhp.hu and multiple other hosts. While running, it connects to the Internet address cms.distributionengine.conduit-services.com on port 80 using the HTTP protocol.
Publisher:
Conduit Ltd.  (signed and verified)

MD5:
6a0bc3f1a4b73a6672d402a23f4399cb

SHA-1:
9a76769b0126d3a178aa86c473f4f2c5f61026cd

SHA-256:
b0d117683a45db7c47e83ee4b985c8f77e7b9d4f455089282cbd3f4f3e9aae32

Scanner detections:
8 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/27/2024 12:42:19 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.Clodc97.Trojan
1.3.0.4923

Dr.Web
Adware.Conduit.6
9.0.1.042

ESET NOD32
Win32/Toolbar.Conduit
8.9392

Malwarebytes
PUP.Optional.Conduit.A
v2014.02.11.04

Panda Antivirus
Adware/Conduit
14.02.11.04

Reason Heuristics
PUP.Conduit.P
14.8.7.22

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.14209

VIPRE Antivirus
Conduit
26222

File size:
1.3 MB (1,314,432 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Conduit Setup Manager (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\bsplayer265.1074.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/3/2013 2:00:00 AM

Valid to:
4/4/2016 2:59:59 AM

Subject:
CN=Conduit Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Conduit Ltd., L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3A82654719D8F75B59134F7B66465210

File PE Metadata
Compilation timestamp:
2/24/2012 9:19:54 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:Ff34duooIjkFWpjzwk8ixX9w+h/+2g0NJMtrrqhv/FamsA:5KRRjkk8iVWs24CrO1amsA

Entry address:
0x3883

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, 92, 40, 00, FF, 15, 84, 81, 40, 00, 68, 4C, 92, 40, 00, 68, C0, AD, 46, 00, E8, 18, 27, 00, 00, FF, 15, B0, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
27.5 KB (28,160 bytes)

The file bsplayer265.1074.exe has been seen being distributed by the following 28 URLs.

http://static.lhp.hu/letoltokozpont.hu/programok/.../bsplayer265.1074.exe

http://downloads.zoznam.sk/.../bs-player-15?did=12126

http://bsplayer.he.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-em6aJp52hmpQ=

http://bsplayer.he.softonic.com/.../3tjQyeLV3cjDp-Hw3sCixsiGa5-em6OJo6SmlJ0=

http://d.baixakifiles2.com/?ic_user_id=254&data=lw6BG6GJw/oeuQsRGrvEf rMtvZE8pwKKS3aAvlP834X7Y7oxMAbG/SoE5svV9IWrdk2D4cTDLHAJP3NeEYrxo9rFlD760aCCLDYuAdhcJqRn/XjWSb2bb1JzTsA5gXgnw0A 9XHKAFSE3HWCfTX4bmTNFPAH3bY98pssbdx7X1nQJjYxoddU/duC8WrCEC6XdKQG7BGrf1bTFp/Kt8sSs6nndpDVX6wxjjNEsdGTJx0CKRwvxYkDTyjmqjPuM9w4Vv4SWx1FgUZbLCKlQpxBHeHqv1Vp9hsja5yavR2dP58IbKtDvWg6JXomeTp73UEk6cdlfunm6GbfeuK62BvLj6ym0Um7e3qzeIxTBnc6Atq EYC0CQmTlDeafYqnCjsWXWGflGDGa89s9S8vKXzUNsPVJJxppTLohZFH12hC5xNooMlPxsPJlt/8IGyhjgJl8t/5Y2HrtqEjrBgJghCcWmpPFkh2p IUynWzbOTG5JqjmzFqxCjMhY2TOjt95SON54dada8u0vmGLprSDLaXHjnU6yRleyt0NrnTVOtsV4EosDH J/mFo8WLEmFwirOyMJoh4A8jX9 VHyclbuoKyFHCAbec/8BG4hYN0roxuzE0aWOctjQFc4OP6uYqJsYbWUZIQNO Pkw0ZT/P/9iSEn4bXaSTkbQ4JEaL6xsxZv7E4BLSFFdi3gyjtkIfvlGs1DzMgAAcozNuoDhn/.../tVmUGwd6wK6fhAHrL4CcjZoCvGO

http://199.115.117.201/1166-bsplayer265.1074.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

 
http://offering.service.distributionengine.conduit-services.com/DecisionEngine.ashx

TCP (HTTP):
Connects to cms.distributionengine.conduit-services.com  (54.243.251.51:80)

Remove bsplayer265.1074.exe - Powered by Reason Core Security