e2f1932a-e9a8-4a36-aae7-f929882d3925-4.exe

HQPureV1.8

Evangelion Group

This potentially unwanted Internet browser extension is built upon and distributed using the free Crossrider platform and will deliver advertisements to the web browser in various formats such as banner, text hyper-links, inline text and transitional ads. The application e2f1932a-e9a8-4a36-aae7-f929882d3925-4.exe by Evangelion Group has been detected as adware by 13 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
HQPure  (signed by Evangelion Group)

Product:
HQPureV1.8

Description:
HQPureV1.8 exe

Version:
1000.1000.1000.1000

MD5:
18a29f3e6c948977c42f16227378ded1

SHA-1:
543a2bec52519db3db2f5b293cd39462c8c2d35c

SHA-256:
144baee1196a14128e11a6314f2ac74d1646fe9c763d9f0244f05b68dfa41f6e

Scanner detections:
13 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements. Distributed through the Brightcircle investments brand.

Analysis date:
12/26/2024 1:32:12 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Crossrider-N [PUP]
2014.9-140914

AVG
Generic
2015.0.3392

Baidu Antivirus
PUA.Win32.CrossRider
4.0.3.14912

Dr.Web
Trojan.Crossrider.17413
9.0.1.0255

ESET NOD32
Win32/Toolbar.CrossRider.AK potentially unwanted application
8.7.0.302.0

IKARUS anti.virus
not-a-virus:WebToolbar.CrossRider
t3scan.1.6.1.0

Kaspersky
Trojan.NSIS.GoogUpdate
14.0.0.3255

Malwarebytes
PUP.Optional.Sense.A
v2014.08.05.10

Panda Antivirus
Trj/Genetic.gen
14.09.14.01

Qihoo 360 Security
HEUR/Malware.QVM10.Gen
1.0.0.1015

Reason Heuristics
PUP.Task.EvangelionGroup.g
14.8.5.22

VIPRE Antivirus
Threat.4789396
31208

File size:
1.4 MB (1,429,872 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
HQPureV1.8.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\hqpurev1.8\e2f1932a-e9a8-4a36-aae7-f929882d3925-4.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
7/28/2014 4:30:00 AM

Valid to:
7/29/2015 4:29:59 AM

Subject:
CN=Evangelion Group, O=Evangelion Group, STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Cyprus, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0095E2A1168FF10F1D56CF5FFE4ABC7450

File PE Metadata
Compilation timestamp:
8/1/2014 2:33:56 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:WfTizgZTMSu011Jr1xfDRSS7baxcSMuqSzE70bKdVSKUxH7//npS2DT5wwV:W7WMTp1/3DIeunHqSg0olS73npS2DTeU

Entry address:
0xDFBA0

Entry point:
E8, 63, 00, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 96, 01, 01, 00, 3B, 30, 7C, 07, E8, 8D, 01, 01, 00, 8B, 30, E8, 80, 01, 01, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, D4, 5E, 00, 00, 8B, F0, 85, F6, 75, 07, B8, 40, E6, 53, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 7E, 31, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, 40, E6, 53, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, DF, ED...
 
[+]

Entropy:
6.6143

Code size:
1 MB (1,065,984 bytes)

Scheduled Task
Task name:
c5e13eda-ffa2-4e7c-8808-d717ccaa98bc

Trigger:
Logon (Runs on logon)

Action:
e2f1932a-e9a8-4a36-aae7-f929882d3925-4.exe \xzojad=v0qqc0j9yvpfjgou9ahapxbc7hqk4dtkgdxejihbn0


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.49.90:80)

Remove e2f1932a-e9a8-4a36-aae7-f929882d3925-4.exe - Powered by Reason Core Security