up1449b.exe

RouletteBotPlus Update

O.T.S.D WEB SERVICES LTD

The application up1449b.exe by O.T.S.D WEB SERVICES has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from updates.roulettebotplus.com.
Publisher:
O.T.S.D WEB SERVICES LTD  (signed and verified)

Product:
RouletteBotPlus Update

Version:
1.0.19

MD5:
df2eba1fac9e1325c84542a16c0a04d0

SHA-1:
aadfbaff7fe5358b6f9ff1f73d52a3158100dda3

SHA-256:
d9044c28c372511f5b6a24b2e28103d9a887e80bda1e283eafe3ed392f53dab7

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/5/2024 8:03:56 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.OTSDWEBS.Installer (M)
16.3.29.21

File size:
2.1 MB (2,197,776 bytes)

Product version:
1.0.19

Copyright:
Copyright © 2010-2013 O.T.S.D WEB SERVICES LTD

Original file name:
RBPUpdate.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\up1449b.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
5/21/2014 5:30:00 AM

Valid to:
8/20/2017 5:29:59 AM

Subject:
CN=O.T.S.D WEB SERVICES LTD, O=O.T.S.D WEB SERVICES LTD, L=Tel aviv -Jaffa, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
15803437D43EF013A5AD5FE5113B15A3

File PE Metadata
Compilation timestamp:
12/30/2012 2:19:43 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
49152:NpZPfgUVZnq+BqEvuGPQkQDBtPVMRuSCDr:NHPDjzuGPQTbr3n

Entry address:
0x12DCF

Entry point:
55, 8B, EC, 6A, FF, 68, 50, 5E, 41, 00, 68, 60, 2F, 41, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, DC, 41, 41, 00, 59, 83, 0D, 84, A9, 41, 00, FF, 83, 0D, 88, A9, 41, 00, FF, FF, 15, E0, 41, 41, 00, 8B, 0D, 7C, 89, 41, 00, 89, 08, FF, 15, E4, 41, 41, 00, 8B, 0D, 78, 89, 41, 00, 89, 08, A1, E8, 41, 41, 00, 8B, 00, A3, 80, A9, 41, 00, E8, 1D, 01, 00, 00, 39, 1D, 50, 87, 41, 00, 75, 0C, 68, 58, 2F, 41, 00, FF, 15, EC, 41...
 
[+]

Entropy:
7.9870

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
74 KB (75,776 bytes)

The file up1449b.exe has been seen being distributed by the following URL.

Remove up1449b.exe - Powered by Reason Core Security