» updateblindbat.exe
Overview
Analysis
File Details
Behaviors (1)

updateblindbat.exe

blindbat

Part of the Yontoo web browser plugin (delivers advertisements to the web browser in the form of injected banners, text-links, popups, etc.) the updater mechanism for blindbat will automatically keep the extension patched by downloaded new functionality which is auto-enabled by default. The application updateblindbat.exe by blindbat has been detected as adware by 5 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Update blindbat”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.

File name:

updateblindbat.exe

Publisher:

blindbat (signed and verified)

Version:

1.0.5156.29316

MD5:

b3d2e9cb4b878443421de824a67bb765

SHA-1:

1df393a7d9ff72d55b9ed826c11231253ba075d9

Scanner detections:

5 / 68

Status:

Adware

Explanation:

Part of the Yontoo adware web browser extension update process.

Analysis date:

4/23/2024 7:42:59 PM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Trojan.BPlug.6

9.0.1.052

Emsisoft Anti-Malware

Gen:Variant.Symmi.1695

8.14.02.21.02

ESET NOD32

Win32/BrowseFox (variant)

8.9418

Malwarebytes

PUP.Optional.Blindbat.A

v2014.02.21.02

Reason Heuristics

PUP.Service.blindbat.O

14.2.21.14

File size:

78.8 KB (80,664 bytes)

Product version:

1.0.5156.29316

Original file name:

blindbat.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\Program Files\blindbat\updateblindbat.exe

Digital Signature

Signed by:

blindbat

Authority:

VeriSign, Inc.

Valid from:

11/27/2013 1:00:00 AM

Valid to:

11/28/2014 12:59:59 AM

Subject:

CN=blindbat, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=blindbat, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

0B7F97173CD91AC680AED809CA9B3B59

File PE Metadata

Compilation timestamp:

2/12/2014 5:17:27 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows Console

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

1536:ZD60fh7Jlc4zQLYU4hzd1pHcI4MBlrgBPa0Nz/JZS/YM0CkObBKhuiPJU:pvfBo4kp4hR1nFzrsa0zJPM0CFbw3JU

Entry address:

0x13612

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Code size:

70 KB (71,680 bytes)

Service

Display name:

Update blindbat

Type:

Win32OwnProcess

Remove updateblindbat.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.