never_blue04_8668_319894.exe

Big Bulb Ideas IT Pvt Ltd

The application never_blue04_8668_319894.exe by Big Bulb Ideas IT Pvt has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. The file has been seen being downloaded from secure.rocketdlgo.com and multiple other hosts.
Publisher:
Big Bulb Ideas IT Pvt Ltd  (signed and verified)

MD5:
4d9ceb0af44b13f089498c02c5ba7299

SHA-1:
c966ff9ebdb190b9d6cddd9638e1669805b99d76

SHA-256:
fbf242130b1ec33a4d3d5220a5ef8f88f8234c2ffd45d4866c61962ed3094f7e

Scanner detections:
6 / 68

Status:
Adware

Explanation:
Uses the InstallMonetizer distribution platform to bundle adware.

Analysis date:
11/23/2024 10:37:06 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/InstallMonetizer.AG
8.9267

McAfee
Artemis!4D9CEB0AF44B
5600.7148

Reason Heuristics
PUP.BigBulbIdeasITPvt.Y
14.8.8.0

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.14424

SUPERAntiSpyware
Heur.Agent/Gen-WhiteBox
10642

Trend Micro House Call
TROJ_GEN.F47V1208
7.2.116

File size:
469.6 KB (480,832 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\never_blue04_8668_319894.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
11/27/2013 7:00:00 PM

Valid to:
11/28/2014 6:59:59 PM

Subject:
CN=Big Bulb Ideas IT Pvt Ltd, O=Big Bulb Ideas IT Pvt Ltd, STREET="C5/1, Road#2, Vikrampuri Colony", L=Secunderabad, S=Andhra Pradesh, PostalCode=500006, C=IN

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EC052E7D4F74A667E7C16553EE590DBE

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:ZWO7pYYF3RkaJqJFp8pbJd5+8AtVbJd5A8q:EO3FBkaJqupbJd5+8AtVbJd5A8q

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.6522

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file never_blue04_8668_319894.exe has been seen being distributed by the following 2 URLs.

Remove never_blue04_8668_319894.exe - Powered by Reason Core Security