bsplayer268.1077.exe

ClientConnect LTD

The file belongs to the ClientConnect (Conduit/Perion) platform, a utility that bundles and monetizes search toolbars and browser add-ons. The application bsplayer268.1077.exe by ClientConnect has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from download7.bsplayer.com and multiple other hosts. While running, it connects to the Internet address cms.dmccint.com on port 80 using the HTTP protocol.
Publisher:
ClientConnect LTD  (signed and verified)

MD5:
bd31ab32be858fae7e093c29479c5b84

SHA-1:
69d5d55f6380fdd8433e18dc0a67096c523fd777

SHA-256:
22ba44e1db35c3a88a9eda54d42be745d90025035e910cacb8d9b6c0d0787d89

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Analysis date:
11/27/2024 12:40:35 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Adware-BRM [PUP]
2014.9-141203

AVG
Generic
2015.0.3272

Dr.Web
Adware.Conduit.87
9.0.1.0337

ESET NOD32
Win32/ClientConnect (variant)
8.10812

K7 AntiVirus
Unwanted-Program
13.186.14198

Kaspersky
not-a-virus:WebToolbar.Win32.Agent
14.0.0.2853

Malwarebytes
PUP.Optional.ClientConnect
v2014.12.03.10

Qihoo 360 Security
Win32/Virus.WebToolbar.8f1
1.0.0.1015

Reason Heuristics
PUP.ClientConnect.P
14.12.3.10

VIPRE Antivirus
Conduit
35338

Zillya! Antivirus
Adware.Agent.Win32.13031
2.0.0.1997

File size:
743 KB (760,816 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\bsplayer268.1077.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
2/4/2014 12:00:00 AM

Valid to:
2/5/2016 11:59:59 PM

Subject:
CN=ClientConnect LTD, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=DM3, O=ClientConnect LTD, L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
72ACCA392AFB8F2E42D5D3C0C97523F2

File PE Metadata
Compilation timestamp:
2/24/2012 7:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:aEQ+/rX87nNRXkMhwONu9Fwa7S4KFZHaSiGxGQJQ//sBveLv7pzFZ9YCQyA2:aD+/cnHXkIUnS4KFVQQJpe/pH91Q0

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file bsplayer268.1077.exe has been seen being distributed by the following 4 URLs.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to cms.dmccint.com  (23.67.242.80:80)

 
http://cms.dmccint.com/DynamicOffer/14477881/14499004/?mainofferId=14474447&CurrentStep=2&TotalSteps=4&DownloadBrowser=IE&CType=-1&UserMode=-1&DMVersion=1.3.4.44.14497870.01&Language=US-EN

Remove bsplayer268.1077.exe - Powered by Reason Core Security