hdflashplayer-chrome.exe

Berta Brid Eco

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application hdflashplayer-chrome.exe by Berta Brid Eco has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from www.hdvidcodecs.com and multiple other hosts. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
Berta Brid Eco  (signed and verified)

MD5:
d7161d01cf5fd4ce2539836e2483e9dc

SHA-1:
1531aadad7990fde59f31abf356a53796e1ea6a1

SHA-256:
093270251028998aa0b346207ce4776b2e8dafce6e215c272f4cc865ef24cee9

Scanner detections:
8 / 68

Status:
Adware

Explanation:
The installer bundles additional adware-type offers (ad-supported) that are displayed to the user during setup and typically installed by default. These include web browser ad-injectors. Distributed through the Brightcircle investments brand.

Analysis date:
12/25/2024 1:45:00 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Win.Threat.Medium
2014.0.4015

Dr.Web
Threat.Undefined
9.0.1.05190

ESET NOD32
Win32/AdWare.1ClickDownload.AT
8.10402

G Data
NSIS.Adware.OneClickDownloader
14.9.24

NANO AntiVirus
Trojan.Nsis.Yotoon.deckrr
0.28.2.61942

Qihoo 360 Security
Win32/Virus.Adware.47b
1.0.0.1015

Reason Heuristics
PUP.BertaBridEco.U
14.9.11.11

Sophos
PUA.FT Downloader
5.05

File size:
396.3 KB (405,856 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\hdflashplayer-chrome.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
8/14/2014 1:00:00 AM

Valid to:
8/15/2015 12:59:59 AM

Subject:
CN=Berta Brid Eco, O=Berta Brid Eco, STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EF48FE90F98CEC7AF0FDEECC0B376D44

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:zscHTYsNHg5LIL7z5HgCsAPALKaRICeeoSHLhjPPzOK4XqkswZ:Bzlhg5LIz2C54LDRVt9jnJ46s

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.8915

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file hdflashplayer-chrome.exe has been seen being distributed by the following 11 URLs.

https://www.hdvidcodecs.com/.../marmardr.php?subid=marmarlk&sid=ZjdXVpZD01MTM0YmQ4NS05YmQyLTQ4YzYtYmM0ZS04N2MwNWQxY2VjNjQ

https://www.hdvidcodecs.com/.../marmardr.php?subid=marmarlk&sid=Z5dXVpZD05Mzk1YWYyYS1mZjIyLTQyYmItOTBiNC1hYzMyYTZhYjc5OWU

https://www.hdvidcodecs.com/.../marmardr.php?subid=marmarlk&sid=Z3dXVpZD0yZWZkOTFhOC1jZGVhLTRkZmQtYmVkNi05NTM1OTJhM2U3ZWQ

https://www.hdvidcodecs.com/.../marmardr.php?subid=marmarlk&sid=Z3dXVpZD0yOWI4YmY3MS0xZmNjLTRlOGUtODEyNC05YzE5NmNlNDU3YTg

Remove hdflashplayer-chrome.exe - Powered by Reason Core Security