» unfriendchecksetup.exe
Overview
Analysis
File Details
Network (2)

unfriendchecksetup.exe

Installer

GreenBottleSoftware Inc.

The application unfriendchecksetup.exe by GreenBottleSoftware has been detected as adware by 40 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. According to AVG, this software downloads additional adware offers during setup. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

Publisher:

GreenBottleSoftware Inc. (signed and verified)

Product:

Installer

Version:

15.9.28.27

MD5:

e7e9fa9a4f015c5610683f5611c79cc4

SHA-1:

9859cccd2179ac6ef42b593bbdbe88ccd07efbf1

SHA-256:

2b3c9b1599465bac2f0381aee2c1e2f0e2624d7c9bddf3ddc378ce876be56944

Scanner detections:

40 / 68

Status:

Adware

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Analysis date:

4/25/2024 10:03:18 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bundler.InstallBrain.A

968

AegisLab AV Signature

ADWARE-InstallBrain.Gen

2.1.4+

Agnitum Outpost

Adware.BrainInst

7.1.1

AhnLab V3 Security

Adware/Win32.BrainInst

14.06.12

Avira AntiVirus

Adware/InstallBrain.CE

7.11.121.36

avast!

Win32:InstallBrain-AT [PUP]

140617-1

AVG

Trojan horse Downloader.Generic13.BQSZ

2014.0.3972

Baidu Antivirus

Adware.Win32.Agent

4.0.3.14612

Bitdefender

Application.Bundler.InstallBrain.A

1.0.20.815

Bkav FE

W32.Clodb8d.Trojan

1.3.0.4613

Comodo Security

Application.Win32.InstallBrain.AF

17475

Dr.Web

Adware.Downware.1295

9.0.1.05190

Emsisoft Anti-Malware

Win32.Virtob.Gen.12

8.14.06.12.01

ESET NOD32

Win32/InstallBrain.AF potentially unwanted application

7.0.302.0

Fortinet FortiGate

Adware/InstallBrain.OP

6/12/2014

F-Prot

W32/IBrain.D.gen

v6.4.7.1.166

F-Secure

Trojan:W32/InstallBrain.A

11.2014-12-06_5

G Data

Win32.Application.InstallBrain

14.6.22

IKARUS anti.virus

AdInstaller

t3scan.2.2.29

K7 AntiVirus

Unwanted-Program

13.174.10588

Kaspersky

not-a-virus:AdWare.Win32.BrainInst

15.0.0.463

Malwarebytes

Adware.InstallBrain

v2014.06.12.01

McAfee

RDN/Generic PUP.x!bpg

5600.7102

Microsoft Security Essentials

TrojanDownloader:Win32/Brantall.B

1.165.247.01

MicroWorld eScan

Application.Bundler.InstallBrain.A

15.0.0.489

NANO AntiVirus

Trojan.Win32.Downware.cqmhdj

0.28.0.57029

nProtect

Trojan-Clicker/W32.BrainInst.676192

14.03.21.01

Panda Antivirus

Adware/Ibups

14.06.12.01

Qihoo 360 Security

Malware.QVM10.Gen

1.0.0.1015

Quick Heal

TrojanDownloader.Brantall.b

6.14.12.00

Reason Heuristics

PUP.Installer.GreenBottleSoftware.S

14.6.12.9

Rising Antivirus

PE:Malware.InstallBrain!6.10A6

23.00.65.14610

Sophos

InstallBrain

4.96

SUPERAntiSpyware

Trojan.Agent/Gen-Downware

10549

Total Defense

Win32/Tnega.BRRKCQ

37.0.10498

Trend Micro House Call

TROJ_GEN.F47V1122

7.2.163

Trend Micro

TROJ_SPNV.03KI13

10.465.12

Vba32 AntiVirus

AdWare.BrainInst

3.12.24.3

VIPRE Antivirus

Trojan.Win32.Generic!SB.0

24588

Zillya! Antivirus

Adware.BrainInst.Win32.63

2.0.0.1777

File size:

653.3 KB (669,008 bytes)

Product version:

15.9.28.27

Original file name:

installer.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\downloads\unfriendchecksetup.exe

Digital Signature

Signed by:

GreenBottleSoftware Inc.

Authority:

GoDaddy.com, Inc.

Valid from:

3/29/2013 6:18:22 PM

Valid to:

3/29/2016 7:18:22 PM

Subject:

CN=GreenBottleSoftware Inc., O=GreenBottleSoftware Inc., L=Beaverton, S=OR, C=US

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

07C97E877D6A20

File PE Metadata

Compilation timestamp:

6/24/2013 3:14:23 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:4qHE+NqGWtKRqexIs9rcOJjEpi2lbFyaluoJc06VSkTA/FWKT:kSqeetlbUalH6V6dWw

Entry address:

0x1089D

Entry point:

E8, AD, 41, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, C4, 44, 42, 00, 00, 75, 18, E8, F8, 39, 00, 00, 6A, 1E, E8, 42, 38, 00, 00, 68, FF, 00, 00, 00, E8, 41, 25, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, C4, 44, 42, 00, FF, 15, 88, D0, 41, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, C8, 44, 42, 00, 74, 0D, 53, E8, 91, 18, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 63, 18, 00, 00, 89, 30, E8, 5C, 18, 00, 00, 89... 
[+]

Code size:

111 KB (113,664 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

Remove unfriendchecksetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.