coupish_1825642.exe

Blabbers Communications Ltd

This is the Blabbers installer, a PUP (potentially unwanted program) that will modify the web browser's search behavior as well as may hijack the browser's home page and other providers. The application coupish_1825642.exe by Blabbers Communications has been detected as adware by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from software.onekit.com and multiple other hosts.
Publisher:
Blabbers Communications Ltd  (signed and verified)

Version:
2

MD5:
2283489d166052bdc21cfd42cfceaf42

SHA-1:
553014ac2063bed191c1cdd251f160e039deb9c6

SHA-256:
9f8bde1291c57869024cd2532eff362e7a2b74a33bd1f64a48f60249aaa01ff3

Scanner detections:
9 / 68

Status:
Adware

Analysis date:
12/23/2024 11:20:04 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Baidu Antivirus
Trojan.Win32.BrowserCompanion
4.0.3.14124

Comodo Security
Heur.Suspicious
17659

Dr.Web
Adware.Shopper.303
9.0.1.024

ESET NOD32
Win32/BrowserCompanion.B potentially unwanted application
6.3.12010.0

K7 AntiVirus
Trojan
13.175.10926

Malwarebytes
PUP.Optional.Blabbers.A
v2014.01.24.03

Reason Heuristics
PUP.Blabbers (M)
16.12.15.17

Trend Micro House Call
TROJ_GEN.F47V1025
7.2.24

Trend Micro
ADW_BLABBERS
10.465.24

File size:
1 MB (1,078,456 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\coupish_1825642.exe

Digital Signature
Authority:
The USERTRUST Network

Valid from:
2/10/2011 12:00:00 AM

Valid to:
2/10/2012 11:59:59 PM

Subject:
CN=Blabbers Communications Ltd, O=Blabbers Communications Ltd, STREET=Arad 3, L=Tel Aviv, S=Israel, PostalCode=43034, C=IL

Issuer:
CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US

Serial number:
00D561643A7697D633BCB565E2E1EF7365

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:cObT5po6u3jmLwW/k26x6vwdp2a25G6T9E7N44p2arYZ1iPxPy:tAis7dp2TcUE7NNp2M41iPxPy

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file coupish_1825642.exe has been seen being distributed by the following 2 URLs.

http://software.onekit.com/software/ofertas/coupish/AresMod/.../cvac.exe

Remove coupish_1825642.exe - Powered by Reason Core Security