rbp_libraries.exe

RouletteBotPlus Update

O.T.S.D WEB SERVICES LTD

The application rbp_libraries.exe by O.T.S.D WEB SERVICES has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from updates.roulettebotplus.com.
Publisher:
O.T.S.D WEB SERVICES LTD  (signed and verified)

Product:
RouletteBotPlus Update

Version:
1.0.19

MD5:
439c5b1b59cb7b7be3c0f62d9543c454

SHA-1:
f95cf5d3008aa2d1714aba7b6ac8a75324af2326

SHA-256:
7485e0163f5ed95e1979188d8950c3659f3b7e115149932683e6d032005394e1

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/27/2024 6:27:43 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.OTSDWEBSERVICES.N
14.8.7.23

File size:
2.1 MB (2,243,968 bytes)

Product version:
1.0.19

Copyright:
Copyright © 2010-2013 O.T.S.D WEB SERVICES LTD

Original file name:
RBPUpdate.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\rbp_libraries.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
7/20/2012 2:00:00 AM

Valid to:
8/15/2014 1:59:59 AM

Subject:
CN=O.T.S.D WEB SERVICES LTD, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=O.T.S.D WEB SERVICES LTD, L=Tel aviv -Jaffa, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
162EEF0F1749CA2D8EFA6D3006F8847A

File PE Metadata
Compilation timestamp:
12/30/2012 9:49:43 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
49152:6pc5CcmDZAQN4xorO/xakHNgpmcIyIldU8P2X3E70EjZfn4:6C5qmMFiaLpm9z30nE4EjZv4

Entry address:
0x12DCF

Entry point:
55, 8B, EC, 6A, FF, 68, 50, 5E, 41, 00, 68, 60, 2F, 41, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, DC, 41, 41, 00, 59, 83, 0D, 84, A9, 41, 00, FF, 83, 0D, 88, A9, 41, 00, FF, FF, 15, E0, 41, 41, 00, 8B, 0D, 7C, 89, 41, 00, 89, 08, FF, 15, E4, 41, 41, 00, 8B, 0D, 78, 89, 41, 00, 89, 08, A1, E8, 41, 41, 00, 8B, 00, A3, 80, A9, 41, 00, E8, 1D, 01, 00, 00, 39, 1D, 50, 87, 41, 00, 75, 0C, 68, 58, 2F, 41, 00, FF, 15, EC, 41...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
74 KB (75,776 bytes)

The file rbp_libraries.exe has been seen being distributed by the following URL.

Remove rbp_libraries.exe - Powered by Reason Core Security