home

sg_6pqssv4em9_active.exe

IB Updater

Bit Cocktail Ltd.

The application sg_6pqssv4em9_active.exe, “IB Updater Setup ” by Bit Cocktail has been detected as a potentially unwanted program by 3 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www5.incredimail.com and multiple other hosts.
Publisher:
IncrediBar   (signed by Bit Cocktail Ltd.)

Product:
IB Updater

Description:
IB Updater Setup

MD5:
ec8fee737a490e18407064e70eaf2b47

SHA-1:
f720902d70af779f94245177e52894b28b4b7d70

SHA-256:
92016ab03403b51745ee82018a3ceac38ce8d6f4ead9d6143eeb289088eee936

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/24/2024 10:36:30 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Trojan.Win32.Agent
4.0.3.131222

ESET NOD32
Win32/Toolbar.Perion (variant)
7.8973

Reason Heuristics
PUP.Installer.BitCocktail.U
14.3.2.15

File size:
4.1 MB (4,296,000 bytes)

Product version:
2.0.0.530

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\incredimail\sg_6pqssv4em9_active.exe

Digital Signature
Signed by:
Bit Cocktail Ltd.

Authority:
Thawte, Inc.

Valid from:
1/17/2012 11:00:00 AM

Valid to:
1/17/2013 10:59:59 AM

Subject:
CN=Bit Cocktail Ltd., O=Bit Cocktail Ltd., L=Herzeliya, S=Herzeliya, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
613E461899A05578474D1423CF9CC340

File PE Metadata
Compilation timestamp:
6/20/1992 8:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
98304:fSkY9l4dGAvwU4RRwm6rjvScTakw7VHqx+eizRYZe8LNFvDlhdpXv:aNNuwDXwm6XS8akMwliz6ZtZhdR

Entry address:
0xBA20

Entry point:
55, 8B, EC, 83, C4, C0, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, 89, 45, C0, B8, 38, B9, 40, 00, E8, 92, 8E, FF, FF, 33, C0, 55, 68, DB, C0, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 9C, C0, 40, 00, 64, FF, 32, 64, 89, 22, A1, 7C, D3, 40, 00, 8B, 00, E8, 7E, FD, FF, FF, E8, A9, F9, FF, FF, 8D, 55, F0, 33, C0, E8, FF, C9, FF, FF, 8B, 55, F0, B8, 88, EE, 40, 00, E8, F6, 77, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 88, EE, 40, 00, B2, 01, A1, AC, 8B, 40, 00, E8, AE, D2, FF, FF, A3, 8C, EE, 40, 00, 33...
 
[+]

Entropy:
7.9978

Developed / compiled with:
Microsoft Visual C++

Code size:
44.5 KB (45,568 bytes)

The file sg_6pqssv4em9_active.exe has been seen being distributed by the following 7 URLs.

http://www5.incredimail.com/incredibar/201301270144/setup/default/installer/.../sg.exe

http://www5l.incredimail.com/incredibar/201212110909/setup/default/installer/.../sg.exe

http://www5.incredimail.com/incredibar/201301281813/setup/default/installer/.../sg.exe

http://www5l.incredimail.com/incredibar/201301071425/setup/default/installer/.../sg.exe

http://www5l.incredimail.com/incredibar/201301230122/setup/default/installer/.../sg.exe

http://www5.incredimail.com/incredibar/201212211202/setup/default/installer/.../sg.exe

http://www5.incredimail.com/incredibar/201212010338/setup/default/installer/.../sg.exe

Remove sg_6pqssv4em9_active.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.