» sg_6oypihu7yf_active.exe
Overview
Analysis
File Details
Downloads (1)

sg_6oypihu7yf_active.exe

Web Assistant

Bit Cocktail Ltd.

The application sg_6oypihu7yf_active.exe, “Web Assistant Setup ” by Bit Cocktail has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www5l.incredimail.com.

File name:

Publisher:

IncrediBar (signed by Bit Cocktail Ltd.)

Product:

Web Assistant

Description:

Web Assistant Setup

MD5:

eb3f97ebb4c367ece0c841e6782af4f1

SHA-1:

dd8a8dbe75860c0f46043c77bd9edc66bc66bfd7

SHA-256:

35e79269c97465dc3a8bfc19eaa3f45ecd5d30bc9c83d72cb896a2b1af15944a

Scanner detections:

1 / 68

Status:

Potentially unwanted

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

4/25/2024 10:52:31 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Installer.BitCocktail.U

14.3.25.13

File size:

1.2 MB (1,242,992 bytes)

Product version:

2.0.0.100

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\incredimail\sg_6oypihu7yf_active.exe

Digital Signature

Signed by:

Bit Cocktail Ltd.

Authority:

Thawte, Inc.

Valid from:

1/17/2012 1:00:00 AM

Valid to:

1/17/2013 12:59:59 AM

Subject:

CN=Bit Cocktail Ltd., O=Bit Cocktail Ltd., L=Herzeliya, S=Herzeliya, C=IL

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

613E461899A05578474D1423CF9CC340

File PE Metadata

Compilation timestamp:

6/20/1992 12:22:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:zgTuRDKY5/83z++BQdHe9D1Oj6FBMaWAftVENpxSja9T7s:zgSAY98jQyJOWLMaWUVSwjGs

Entry address:

0xBA20

Entry point:

55, 8B, EC, 83, C4, C0, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, 89, 45, C0, B8, 38, B9, 40, 00, E8, 92, 8E, FF, FF, 33, C0, 55, 68, DB, C0, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 9C, C0, 40, 00, 64, FF, 32, 64, 89, 22, A1, 7C, D3, 40, 00, 8B, 00, E8, 7E, FD, FF, FF, E8, A9, F9, FF, FF, 8D, 55, F0, 33, C0, E8, FF, C9, FF, FF, 8B, 55, F0, B8, 88, EE, 40, 00, E8, F6, 77, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 88, EE, 40, 00, B2, 01, A1, AC, 8B, 40, 00, E8, AE, D2, FF, FF, A3, 8C, EE, 40, 00, 33... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

44.5 KB (45,568 bytes)

The file sg_6oypihu7yf_active.exe has been seen being distributed by the following URL.

http://www5l.incredimail.com/incredibar/IMPPSOM/setup/default/installer/.../sg.exe

Remove sg_6oypihu7yf_active.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.