setup_12184.exe

Bubble Dock

NOSIBAY

The application setup_12184.exe by NOSIBAY has been detected as a potentially unwanted program by 12 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.bubbledock.us.
Publisher:
NOSIBAY  (signed and verified)

Product:
Bubble Dock

Version:
3.0.705.0.62446

MD5:
f752197f17b9442309455cfd66722f59

SHA-1:
39ec28d7f1618edc39a0aec63680e7b77d1b4d11

SHA-256:
8a680763a91d1f333085dae1cc05d25689282e804c9c6ab2434654b31450a7c6

Scanner detections:
12 / 68

Status:
Potentially unwanted

Analysis date:
12/23/2024 12:36:14 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.3136

Baidu Antivirus
PUA.Win32.BubbleDock
4.0.3.15417

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Downware.10519, Adware.Downware.9155
9.0.1.0107

ESET NOD32
Win32/BubbleDock.A potentially unwanted
9.11499

herdProtect (fuzzy)
2015.7.19.4

K7 AntiVirus
Trojan
13.202.15641

McAfee
Artemis!F752197F17B9
5600.6792

Panda Antivirus
PUP/Nosibay
15.04.17.01

Reason Heuristics
PUP.Installer.NOSIBAY
15.4.17.9

Trend Micro House Call
Suspicious_GEN.F47V0331
7.2.107

VIPRE Antivirus
Threat.4791953
39354

File size:
380.3 KB (389,472 bytes)

Copyright:
© Nosibay

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\setup_12184.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
9/24/2014 8:00:00 PM

Valid to:
12/25/2015 6:59:59 PM

Subject:
CN=NOSIBAY, OU=Secure Application Development, O=NOSIBAY, L=PEROLS, S=Hérault, C=FR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
52E368957AD1C7202A103C7CFD7BD6C2

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:TseB3ri0RfDR9/0dZWLMb0Xudr3IAkMxp24mq+JE56xdDGQ8ZzAh:rTBj/02kdr3IAB29EmoZ+h

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.1364

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file setup_12184.exe has been seen being distributed by the following URL.

Remove setup_12184.exe - Powered by Reason Core Security