eqghxmsgmdpkwt.exe

Clash Project (Bright Circle Investments Ltd)

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application eqghxmsgmdpkwt.exe by Clash Project (Bright Circle Investments) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Nullsoft Install System installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
Crmqlqgpwxbqgr LTD  (signed by Clash Project (Bright Circle Investments Ltd))

Description:
Rhdapwkxhcd

Version:
1.36.01.22

MD5:
fbb8bf97286528c3843d5b59fe66de0d

SHA-1:
50f9cfe10a206a40de083c95d855b46d2f07a8ae

SHA-256:
0f303aa3890c05e24a05d72014ec63596f790ab9a8b78aebca0b1adc2bd37e3c

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/5/2024 10:12:18 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.BrightCircle.ClashProjectBrightCircleInvestments.Installer (M)
15.10.25.21

File size:
12.4 MB (12,983,168 bytes)

Copyright:
Copyright Ryitrbggwpgudi

Trademarks:
Mrjrkjzgadzwo is a trademark of Ridxskpdzxefe

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\eqghxmsgmdpkwt.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
12/15/2014 4:00:00 PM

Valid to:
12/16/2015 3:59:59 PM

Subject:
CN=Clash Project (Bright Circle Investments Ltd), O=Clash Project (Bright Circle Investments Ltd), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
75DD4745F68AF8221A12839F4A4F8FE1

File PE Metadata
Compilation timestamp:
12/4/2012 5:55:02 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
393216:BieZwXN1Pru6Y+Ul6bf7ouuVHdsm5GwJ6X:sATl+fchD11J6X

Entry address:
0x4323

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 44, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 44, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 44, 00, 56, A3, 40, 3B, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 3B, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 44, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Entropy:
7.9991  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.18.132:80)

TCP (HTTP):
Connects to ec2-54-225-152-55.compute-1.amazonaws.com  (54.225.152.55:80)

Remove eqghxmsgmdpkwt.exe - Powered by Reason Core Security