update1409gy.exe

RouletteBotPlus Update

O.T.S.D WEB SERVICES LTD

The application update1409gy.exe by O.T.S.D WEB SERVICES has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from updates.roulettebotplus.com.
Publisher:
O.T.S.D WEB SERVICES LTD  (signed and verified)

Product:
RouletteBotPlus Update

Version:
1.0.19

MD5:
acaa48c3169ba8ae164c76d88c608e9a

SHA-1:
3107a1dc4deb912987d7b46bdb64b11081a041b3

SHA-256:
7b2ed017a57dee163887d4bcaa9626ebf987a14062d52c885b524b56c4b2e873

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/27/2024 6:09:12 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.OTSDWEBS.Installer (M)
16.5.13.3

File size:
2.1 MB (2,185,368 bytes)

Product version:
1.0.19

Copyright:
Copyright © 2010-2013 O.T.S.D WEB SERVICES LTD

Original file name:
RBPUpdate.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\update1409gy.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
7/20/2012 1:00:00 AM

Valid to:
8/15/2014 12:59:59 AM

Subject:
CN=O.T.S.D WEB SERVICES LTD, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=O.T.S.D WEB SERVICES LTD, L=Tel aviv -Jaffa, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
162EEF0F1749CA2D8EFA6D3006F8847A

File PE Metadata
Compilation timestamp:
12/30/2012 8:49:43 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:CACK3NMJmQtYEzFWjnUVux4fnwonhO+th3ntrTG5uldJY6V0/5F1eJDuoPxu2wqh:vp6PfgUVZnq+BqEvuGPkqaqwpRqOCZ

Entry address:
0x12DCF

Entry point:
55, 8B, EC, 6A, FF, 68, 50, 5E, 41, 00, 68, 60, 2F, 41, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, DC, 41, 41, 00, 59, 83, 0D, 84, A9, 41, 00, FF, 83, 0D, 88, A9, 41, 00, FF, FF, 15, E0, 41, 41, 00, 8B, 0D, 7C, 89, 41, 00, 89, 08, FF, 15, E4, 41, 41, 00, 8B, 0D, 78, 89, 41, 00, 89, 08, A1, E8, 41, 41, 00, 8B, 00, A3, 80, A9, 41, 00, E8, 1D, 01, 00, 00, 39, 1D, 50, 87, 41, 00, 75, 0C, 68, 58, 2F, 41, 00, FF, 15, EC, 41...
 
[+]

Entropy:
7.9868

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
74 KB (75,776 bytes)

The file update1409gy.exe has been seen being distributed by the following URL.

Remove update1409gy.exe - Powered by Reason Core Security