e29193b0-b61f-4d86-ada8-6277dd849368-4.exe

PlusHD-V1.9

Bright circle investments Ltd.

This adware utilizes the Crossrider extension platform and will inject advertisiments in the Internet browser and may modify core browser settings. Ads will be delivered as banners and contextual text-links and may promote other potentially unwanted software. The application e29193b0-b61f-4d86-ada8-6277dd849368-4.exe by Bright circle investments has been detected as adware by 39 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
PlusHDv1.9  (signed by Bright circle investments Ltd.)

Product:
PlusHD-V1.9

Description:
PlusHD-V1.9 exe

Version:
1000.1000.1000.1000

MD5:
7f2555363c331e9ec2bf72764c84b129

SHA-1:
8289042b37cf736872a876edce30317b9171404d

SHA-256:
44b3a96c87a3088a3f9d9bbfe40b500afa6fa73e0f0762d1652d9c4f63140055

Scanner detections:
39 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
12/25/2024 5:11:15 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Sality.3
921

Agnitum Outpost
Win32.Sality.BK
7.1.1

AhnLab V3 Security
Win32/Kashu.E
2014.07.08

Avira AntiVirus
Adware/CrossRider.A.15060
7.11.157.208

avast!
Win32:SaliCode
2014.9-140729

AVG
Win32/Sality
2015.0.3399

Baidu Antivirus
Virus.Win32.Sality.$Emu
4.0.3.14729

Bitdefender
Win32.Sality.3
1.0.20.1050

Bkav FE
W32.Sality.PE
1.3.0.4959

Comodo Security
Virus.Win32.Sality.Gen
18804

Dr.Web
Win32.Sector.21
9.0.1.0210

Emsisoft Anti-Malware
Win32.Sality
8.14.07.29.12

ESET NOD32
Win32/Toolbar.CrossRider.AK (variant)
8.10024

F-Prot
W32/Sality.gen2
v6.4.6.5.141

F-Secure
Win32.Sality.3
11.2014-29-07_3

G Data
Win32.Sality
14.7.24

IKARUS anti.virus
Virus.Win32.Sality
t3scan.1.6.1.0

K7 AntiVirus
Virus
13.180.12643

Kaspersky
Virus.Win32.Sality
14.0.0.3490

McAfee
W32/Sality.gen.z
5600.7055

Microsoft Security Essentials
Threat.Undefined
1.177.1852.0

MicroWorld eScan
Win32.Sality.3
15.0.0.630

NANO AntiVirus
Riskware.Win32.AdLoad.dbsers
0.28.0.60577

Norman
Sality.ZHB
11.20140729

nProtect
Virus/W32.Sality.D
14.07.07.01

Panda Antivirus
W32/Sality.AA
14.07.29.12

Qihoo 360 Security
Malware.QVM19.Gen
1.0.0.1015

Quick Heal
W32.Sality.U
7.14.14.00

Reason Heuristics
PUP.Task.Brightcircleinvestments.g
14.7.17.9

Rising Antivirus
PE:Win32.KUKU.kt!1591113
23.00.65.14727

Sophos
Mal/Sality-D
4.98

Total Defense
Win32/Sality.AA
37.0.11045

Trend Micro House Call
PE_SALITY.RL
7.2.210

Trend Micro
PE_SALITY.RL
10.465.29

Vba32 AntiVirus
Virus.Win32.Sality.bakb
3.12.26.3

VIPRE Antivirus
Crossrider
30824

ViRobot
Win32.Sality.N
2011.4.7.4223

Zillya! Antivirus
Virus.Sality.Win32.20
2.0.0.1850

File size:
838.1 KB (858,168 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
PlusHD-V1.9.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\plushd-v1.9\e29193b0-b61f-4d86-ada8-6277dd849368-4.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
6/20/2014 3:00:00 AM

Valid to:
6/21/2015 2:59:59 AM

Subject:
CN=Bright circle investments Ltd., O=Bright circle investments Ltd., STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
4347D0F2AD67F1767C932B3BFBEA7713

File PE Metadata
Compilation timestamp:
6/27/2014 1:03:08 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:sccKa5cCaFSGW2guR5MtRCJxR1DBFZZdqFZnTms9GAouttAfaa/dw5pTwv:scMOEYgC5MtRCJxR128itmaamTy

Entry address:
0x8A45F

Entry point:
E8, 7F, E3, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1, 04, A9, 00, 01, 01, 81, 74, E8, 8B, 41, FC, 84, C0, 74, 32, 84, E4, 74, 24, A9, 00, 00, FF, 00, 74, 13, A9, 00, 00, 00, FF, 74, 02, EB, CD, 8D, 41, FF, 8B, 4C, 24, 04, 2B, C1, C3, 8D, 41...
 
[+]

Entropy:
6.5471

Code size:
689 KB (705,536 bytes)

Scheduled Task
Task name:
e29193b0-b61f-4d86-ada8-6277dd849368-4

Trigger:
Logon (Runs on logon)

Action:
e29193b0-b61f-4d86-ada8-6277dd849368-4.exe \bwuggrlvd \bwwze='plushd-v1.9' \balql='C:\program


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-50-63-202-57.ip.secureserver.net  (50.63.202.57:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.82.233:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.10:80)

Remove e29193b0-b61f-4d86-ada8-6277dd849368-4.exe - Powered by Reason Core Security