setup.exe

Bright circle investments Ltd.

This adware utilizes the Crossrider extension platform and will inject advertisiments in the Internet browser and may modify core browser settings. Ads will be delivered as banners and contextual text-links and may promote other potentially unwanted software. The application setup.exe by Bright circle investments has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Nullsoft Install System installer. It is distributed as part of the Brightcircle group of browser-extensions.
Publisher:
Bright circle investments Ltd.  (signed and verified)

Description:
Gwbemgoknepjdm

Version:
20.20.14.10

MD5:
2d2b8e625f51eeda5010c1ee357dcce8

SHA-1:
49a5b098cf2a1e86ed1760d04a5d53ebf798951b

SHA-256:
ce526ab090aa0a0997103bb72fc6c0d96ae655fec7732b956606afbbacf9bb6f

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/23/2024 10:38:09 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.BrightCircle.Installer (M)
16.4.6.1

File size:
7.9 MB (8,288,656 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
6/19/2014 8:00:00 AM

Valid to:
6/20/2015 7:59:59 AM

Subject:
CN=Bright circle investments Ltd., O=Bright circle investments Ltd., STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EF90FEF9AC8E258E5D30D0E08C84D37E

File PE Metadata
Compilation timestamp:
12/4/2012 9:55:02 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
196608:gOBLhLgjKzAPisXd8JxlPcZK/Z5WcV2i5YPFUGR3GRBx:guLajKUPistuxl0oZ5WcHYxqn

Entry address:
0x4323

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 44, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 44, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 44, 00, 56, A3, 40, 3B, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 3B, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 44, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Entropy:
7.9986  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The file setup.exe has been seen being distributed by the following URL.

Remove setup.exe - Powered by Reason Core Security