home

eTypeSetup_v1.0.1.4422.exe

DSNR

The application eTypeSetup_v1.0.1.4422.exe by DSNR has been detected as a potentially unwanted program by 2 anti-malware scanners. It uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from version.etype.com. While running, it connects to the Internet address 92b91b2d.rdns.100tb.com on port 80 using the HTTP protocol.
Publisher:
DSNR  (signed and verified)

MD5:
bd0b12fc09352c59a8d3e80585352a38

SHA-1:
1a05bcb613d6e64da98a73ec66cb2599e02b68d1

SHA-256:
3bfcbc3f39ba4d32c45e88127f609bbbf88a86e8297778fa0dd2dab5eae07254

Scanner detections:
2 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
4/20/2024 3:00:18 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/InstallCore.BA (variant)
8.7822

Reason Heuristics
PUP.Installer.DSNR.T
14.4.13.18

File size:
1.1 MB (1,102,200 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\etypesetup_v1.0.1.4422.exe

Digital Signature
Signed by:
DSNR

Authority:
VeriSign, Inc.

Valid from:
4/15/2012 8:00:00 PM

Valid to:
4/12/2013 7:59:59 PM

Subject:
CN=DSNR, OU=DSNR labs, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=DSNR, L=Raanana, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4D1A5C63FA2465BBB324D0AE2902288A

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:EhkkGNCEFvUp2Ia38mXJA7+ykftxfyOwGhPvTQu29N1SfpCKPGIEfNUMfK7E8R:EC9FMp2t33yPklJyOVZSN1+wIEfuMf0R

Entry address:
0xCD690

Entry point:
55, 8B, EC, 83, C4, F0, B8, 4C, 41, 40, 00, E8, 4E, CF, FF, FF, FF, 00, 00, 81, E6, 00, 00, FF, FF, 89, 73, 04, 6A, 04, 68, 00, 20, 00, 00, 56, 55, E8, 80, FD, FF, FF, 89, 03, 83, 3B, 00, 74, 23, 8B, D3, B8, E4, D5, 46, 00, E8, F5, FD, FF, FF, 84, C0, 75, 13, 68, 00, 80, 00, 00, 6A, 00, 8B, 03, 50, E8, 62, FD, FF, FF, 33, C0, 89, 03, 5D, 5F, 5E, 5B, C3, 90, 53, 56, 57, 55, 83, C4, EC, 89, 4C, 24, 04, 89, 14, 24, C7, 44, 24, 08, FF, FF, FF, FF, 33, D2, 89, 54, 24, 0C, 8B, E8, 8B, 04, 24, 03, C5, 89, 44, 24...
 
[+]

Entropy:
6.9295

Developed / compiled with:
Microsoft Visual C++

Code size:
837.5 KB (857,600 bytes)

The file eTypeSetup_v1.0.1.4422.exe has been seen being distributed by the following URL.

http://version.etype.com/.../eTypeSetup_v1.0.1.4422.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-49-170-39.eu-west-1.compute.amazonaws.com  (52.49.170.39:80)

TCP (HTTP):
Connects to ec2-52-30-150-214.eu-west-1.compute.amazonaws.com  (52.30.150.214:80)

TCP (HTTP):
Connects to 92b91b2d.rdns.100tb.com  (146.185.27.45:80)

TCP (HTTP):
Connects to 50.115.122.45.static.westdc.net  (50.115.122.45:80)

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (199.58.87.155:80)

Remove eTypeSetup_v1.0.1.4422.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.