cvac1.exe

Blabbers Communications Ltd

This is the Blabbers installer, a PUP (potentially unwanted program) that will modify the web browser's search behavior as well as may hijack the browser's home page and other providers. The application cvac1.exe by Blabbers Communications has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from media.instcdn.com.
Publisher:
Blabbers Communications Ltd  (signed and verified)

Version:
2

MD5:
15c2b618fcc275f55d071942e47f5297

SHA-1:
5ea5acd357b923abc0cfb1aeb122a837456ed480

SHA-256:
fc9c176301e5dd75c2333bebd0eb26e56ef886e82b1ea443d914b30d7d42e550

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/27/2024 2:52:10 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Blabbers.Installer (M)
16.5.21.7

File size:
1.1 MB (1,112,112 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\cvac1.exe

Digital Signature
Authority:
The USERTRUST Network

Valid from:
2/9/2011 7:00:00 PM

Valid to:
2/10/2012 6:59:59 PM

Subject:
CN=Blabbers Communications Ltd, O=Blabbers Communications Ltd, STREET=Arad 3, L=Tel Aviv, S=Israel, PostalCode=43034, C=IL

Issuer:
CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US

Serial number:
00D561643A7697D633BCB565E2E1EF7365

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:czbObT5po6u3jmLwW/k26x6vw7wwTjGjT9L7N4HweHZ1iPYPY:/Ais7GFL7NA1iPYPY

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9903

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file cvac1.exe has been seen being distributed by the following URL.

http://media.instcdn.com/xmlstatic/emulecom/.../cvac1.exe

Remove cvac1.exe - Powered by Reason Core Security