c01208e4-b2ad-40c1-9810-40447884a00b-9.exe

Kimahri Software inc.

This adware uses the Crossrider platform to build and distribute this web browser advertising injection extension. Once installed in the browser it will hijack various browser settings (homepage, search) and may interfere and track behaviors as well as deliver ads. The application c01208e4-b2ad-40c1-9810-40447884a00b-9.exe by Kimahri Software inc has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
Kimahri Software inc.  (signed and verified)

MD5:
350a6b3cfbdc36020341340a823cd850

SHA-1:
f0ce634fa2794756f0bd1bfc174f65b06517b2cd

SHA-256:
c07368ee84499faa0a372f74a1bebe7e59aaff334fad7d0485921aa0ffd3915d

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/23/2024 1:39:25 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Brightcicrle.Brightcircle (M)
16.3.1.9

File size:
918.4 KB (940,392 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\plus-hd-9.5\c01208e4-b2ad-40c1-9810-40447884a00b-9.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
3/6/2013 7:00:00 PM

Valid to:
3/6/2016 6:59:59 PM

Subject:
CN=Kimahri Software inc., O=Kimahri Software inc., STREET=666 Sherbrooke Rue w, L=Montreal, S=Quebec, PostalCode=H3A 1E7, C=CA

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A1BB8569950C0B2080A11A0E2F618B33

File PE Metadata
Compilation timestamp:
6/2/2014 11:36:36 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:YhcJWx4IzwTAZWiSb4oF3pSdDTzLEsYqsu4L:4yqVzhZo3pSdDTzLEsYzu4L

Entry address:
0x72E44

Entry point:
E8, 3E, 13, 01, 00, E9, 7F, FE, FF, FF, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 55, 8B, EC, E8, 0F, 00, 00, 00, 83, 7D, 08, 00, 74, 05, E8, 07, 1F, 01, 00, DB, E2, 5D, C3, B8, 09, 43, 48, 00, A3, 78, D8, 4C, 00, C7, 05, 7C, D8, 4C, 00, E9, 4B, 48, 00, C7, 05, 80, D8, 4C, 00, 78, 4C, 48, 00, C7, 05, 84, D8, 4C, 00, D0, 4C, 48, 00, C7, 05, 88, D8, 4C, 00, 53, 4D, 48, 00...
 
[+]

Code size:
574.5 KB (588,288 bytes)

Scheduled Task
Task name:
c01208e4-b2ad-40c1-9810-40447884a00b-9

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-184-168-221-56.ip.secureserver.net  (184.168.221.56:80)

TCP (HTTP):
Connects to ip-184-168-221-36.ip.secureserver.net  (184.168.221.36:80)

Remove c01208e4-b2ad-40c1-9810-40447884a00b-9.exe - Powered by Reason Core Security