setup_204628.exe

Bubble Dock

NOSIBAY

The application setup_204628.exe by NOSIBAY has been detected as a potentially unwanted program by 12 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.bubbledock.net.
Publisher:
NOSIBAY  (signed and verified)

Product:
Bubble Dock

Version:
3.0.705.0.62446

MD5:
fb2d8de806cb0cbeb3f8bbd4a3792c63

SHA-1:
a33ba6699d2646456f4bf2967ae597ca8ed8a7b7

SHA-256:
8672ef83ea0f8795a6809879688dadbb2931c43500527560711f9aeb4d62deb5

Scanner detections:
12 / 68

Status:
Potentially unwanted

Analysis date:
12/23/2024 12:39:24 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.3116

Baidu Antivirus
PUA.Win32.BubbleDock
4.0.3.1557

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Downware.10519, Adware.Downware.9155
9.0.1.0127

ESET NOD32
Win32/BubbleDock.A potentially unwanted
9.11499

herdProtect (fuzzy)
2015.8.5.22

K7 AntiVirus
Trojan
13.202.15641

McAfee
Artemis!AFE87ED50398
5600.6772

Panda Antivirus
PUP/Nosibay
15.05.07.09

Reason Heuristics
PUP.Installer.NOSIBAY
15.5.7.17

Trend Micro House Call
Suspicious_GEN.F47V0217
7.2.127

VIPRE Antivirus
Threat.4791953
39354

File size:
380.3 KB (389,472 bytes)

Copyright:
© Nosibay

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\setup_204628.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
9/24/2014 8:00:00 PM

Valid to:
12/25/2015 6:59:59 PM

Subject:
CN=NOSIBAY, OU=Secure Application Development, O=NOSIBAY, L=PEROLS, S=Hérault, C=FR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
52E368957AD1C7202A103C7CFD7BD6C2

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:TseB3ri0RfDR9/0dZWLMb0Xudr3IAkMxp24mq+JE56xdDGQ8ZzAN:rTBj/02kdr3IAB29EmoZ+N

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file setup_204628.exe has been seen being distributed by the following URL.

Remove setup_204628.exe - Powered by Reason Core Security