home

dcbraiegut_gutbl_setup.exe

BrowserAir (GOOBZO LTD)

The application dcbraiegut_gutbl_setup.exe by BrowserAir (GOOBZO) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It runs as a scheduled task under the Windows Task Scheduler. While running, it connects to the Internet address server-54-230-39-39.jfk1.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
BrowserAir (GOOBZO LTD)  (signed and verified)

Version:
2.9.0.999

MD5:
02c4553c4a782f664b9d47a1e52e9f29

SHA-1:
394a616fea616406c3ab12f40acf59332500d7ee

SHA-256:
228db4eac5d27e4a4debc380f5443ee20d5f75f39418a30889ff80ad5338ee79

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/26/2024 8:29:45 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Goobzo.Installer (M)
15.7.25.18

File size:
2.3 MB (2,364,312 bytes)

Product version:
2.9.0.999

Copyright:
Copyright (C) 2014

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\installer\install_31290\dcbraiegut_gutbl_setup.exe

Digital Signature
Signed by:
BrowserAir (GOOBZO LTD)

Authority:
COMODO CA Limited

Valid from:
2/10/2015 6:00:00 PM

Valid to:
2/11/2016 5:59:59 PM

Subject:
CN=BrowserAir (GOOBZO LTD), O=BrowserAir (GOOBZO LTD), STREET="Bldg #15 Matam", L=Haifa, S=Haifa, PostalCode=31905, C=IL

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3B4F9A8B40F303C8AAD1D77B2A2B4674

File PE Metadata
Compilation timestamp:
7/25/2015 1:57:03 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:o4erXlb7BZfdsB1icGIhrZ8pqSjO/CRctRYQdYRAS3JcU76TR84BXpPKvD3odEaO:4ZfW1BGID83S/CRkFYRNh2VBMv7odE9f

Entry address:
0x4DC853

Entry point:
E9, 2B, 5E, DD, FF, FF, 34, 24, E8, 32, 97, FF, FF, F7, 30, 6F, AB, F5, 58, 4B, 6A, EA, 38, BE, 14, 8A, E8, B6, 36, B9, 6F, 65, 16, 27, 3F, 80, 6B, 2A, BF, DA, D3, 8F, 5F, A9, DA, B7, 7F, 3F, A8, C6, CA, CE, 9E, E8, F0, B9, EB, 23, 88, CE, 40, D3, 75, 94, 8C, FF, 3A, 2E, FB, 40, 2D, 19, 56, 41, DF, 65, AB, 96, 24, 54, 77, BF, 00, 8E, C8, 50, 7D, 33, 85, BA, F7, 5C, AD, E9, E3, AA, 03, 61, 97, 04, 5D, 8A, DF, 14, 89, 6A, 1F, 7C, C5, 12, 6F, 80, 39, 7A, 2B, 7C, 55, 56, 2B, 34, F5, 26, F3, 0A, 7F, 98, 2A, 4F...
 
[+]

Entropy:
7.8936

Packer / compiler:
Xtreme-Protector v1.05

Code size:
548.5 KB (561,664 bytes)

Scheduled Task
Task name:
Inst_Rep

Trigger:
Registration (Runs on registration)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-39-39.jfk1.r.cloudfront.net  (54.230.39.39:80)

TCP (HTTP):
Connects to server-54-230-38-69.jfk1.r.cloudfront.net  (54.230.38.69:80)

Remove dcbraiegut_gutbl_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.