rssbandit.exe

Babylon Client Setup 1.0

Visual Tools

The application rssbandit.exe, “Babylon Client Setup” by Visual Tools has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. The file has been seen being downloaded from dl.cdn-services.com.
Publisher:
Babylon Ltd.  (signed by Visual Tools)

Product:
Babylon Client Setup 1.0

Description:
Babylon Client Setup

Version:
1.0.8.0

MD5:
dcc982562d7063d2a856f243f486ee3b

SHA-1:
695f100e1986fd75637d70de24fa6444ee8bcca4

SHA-256:
d5428cb779d2fcfdc4164ca48621358526cce6ce534d0d06f8fa39c2e6a08ef6

Scanner detections:
1 / 68

Status:
Adware

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:
12/25/2024 3:44:06 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Babylon.Banylon.Installer (M)
16.2.22.18

File size:
893 KB (914,416 bytes)

Copyright:
2011(c) Babylon Ltd. All rights reserved.

Original file name:
Setup_Stub.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\rssbandit.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
1/10/2013 12:00:00 AM

Valid to:
1/10/2015 11:59:59 PM

Subject:
CN=Visual Tools, O=Visual Tools, L=Belgrade, S=Serbia, C=RS

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
789958B0264F06055619270074AFA61F

File PE Metadata
Compilation timestamp:
10/31/2013 3:22:53 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:IGxRC1qIbZmwnd68g1v3+ZhTUXBp+Z8J4fvuXIaBrQAbn09O8sOEuq9wJOtSFgWZ:5x3Ir6HWGGZ8qvuXPBrP09OtOvKcHHOm

Entry address:
0x62D3

Entry point:
55, 8B, EC, 83, E4, F8, B8, 84, 1A, 00, 00, E8, 5D, F1, FF, FF, 53, 56, 33, DB, 57, 8D, 8C, 24, E8, 07, 00, 00, 88, 5C, 24, 13, C6, 44, 24, 14, 01, E8, 57, 06, 00, 00, 8D, 8C, 24, E8, 07, 00, 00, E8, CD, 05, 00, 00, 8D, 8C, 24, E8, 07, 00, 00, E8, 33, 05, 00, 00, 85, C0, 0F, 85, D9, 00, 00, 00, 8D, 44, 24, 18, 50, 8D, 8C, 24, EC, 07, 00, 00, E8, CB, 00, 00, 00, 8B, F0, 85, F6, 0F, 85, A0, 00, 00, 00, 66, 39, 5C, 24, 18, 74, 5E, 8B, 3D, 38, 91, 40, 00, 8D, 74, 24, 18, 6A, 03, 68, D8, D2, 40, 00, 56, FF, D7...
 
[+]

Entropy:
7.7454

Developed / compiled with:
Microsoft Visual C++

Code size:
30 KB (30,720 bytes)

The file rssbandit.exe has been seen being distributed by the following URL.

Remove rssbandit.exe - Powered by Reason Core Security