home

dcbraiegut_gutbl_setup.exe

BrowserAir (GOOBZO LTD)

The application dcbraiegut_gutbl_setup.exe by BrowserAir (GOOBZO) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. It runs as a scheduled task under the Windows Task Scheduler. While running, it connects to the Internet address server-205-251-251-200.jfk5.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
BrowserAir (GOOBZO LTD)  (signed and verified)

Version:
2.9.0.999

MD5:
2054b9dd26799847b0b78775d835dd11

SHA-1:
80cab5ed5acb37e266e061ec0d04332757b52211

SHA-256:
312505114575207cd4a583f5578c5bf30fca33a5eb963ee1f0b4894271e6f8f6

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/25/2024 10:25:21 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Goobzo.Installer (M)
15.7.31.12

File size:
2.3 MB (2,429,848 bytes)

Product version:
2.9.0.999

Copyright:
Copyright (C) 2014

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\installer\install_16327\dcbraiegut_gutbl_setup.exe

Digital Signature
Signed by:
BrowserAir (GOOBZO LTD)

Authority:
COMODO CA Limited

Valid from:
2/10/2015 6:00:00 PM

Valid to:
2/11/2016 5:59:59 PM

Subject:
CN=BrowserAir (GOOBZO LTD), O=BrowserAir (GOOBZO LTD), STREET="Bldg #15 Matam", L=Haifa, S=Haifa, PostalCode=31905, C=IL

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3B4F9A8B40F303C8AAD1D77B2A2B4674

File PE Metadata
Compilation timestamp:
7/28/2015 1:56:52 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:nAhJYj2F4GocqH4QbAL0cNMgU3MdMBMl9CKLYDzI79g/ZffQ4HrVEjUB2yF6+IIP:nGFwbAVMYdFl0KL5geaJ2yF6+LAejB

Entry address:
0x4FF523

Entry point:
E8, 9A, 81, FB, FF, 66, 0F, CD, F7, D5, F7, D3, 5B, 66, BE, 2E, E6, 9C, 8B, 7C, 24, 04, 8D, B6, 72, 15, 05, 8A, E9, 5E, AC, DC, FF, 83, F6, E4, 26, 33, 7D, 72, 5D, 66, 7D, 37, 31, E2, C3, 27, 73, 67, B4, A4, 09, D7, 30, E4, 3A, 23, 9C, 78, B7, AB, 10, D0, 28, C5, 42, 19, 44, 30, 4A, AA, 8F, 50, 11, A4, ED, AC, 10, C5, 93, CF, 6F, 02, 81, CD, F6, BE, 2B, 24, F9, E1, 51, EE, 8A, 4F, 6E, 3B, 12, 7F, B5, CA, 52, 00, 3E, E9, 9D, 20, BF, 90, 6B, 25, 6F, D0, 4A, 47, DF, 8C, 05, 4C, B7, 65, B6, C2, 82, BB, 04, 9B...
 
[+]

Entropy:
7.8973  (probably packed)

Code size:
548.5 KB (561,664 bytes)

Scheduled Task
Task name:
Inst_Rep

Trigger:
Registration (Runs on registration)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-205-251-251-64.jfk5.r.cloudfront.net  (205.251.251.64:80)

TCP (HTTP):
Connects to server-205-251-251-200.jfk5.r.cloudfront.net  (205.251.251.200:80)

Remove dcbraiegut_gutbl_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.