» ext_setup.exe
Overview
Analysis
File Details
Network (1)

ext_setup.exe

Ostap Laponov

This program bundles adware during the download and install process using the InstaleRex pay-per-install app monetizer. The application ext_setup.exe by Ostap Laponov has been detected as adware by 29 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.

File name:

ext_setup.exe

Publisher:

Ostap Laponov (signed and verified)

MD5:

6d57c972fa1c77b02107c8f8cfbaab42

SHA-1:

67655660dad7f05f9f157f5dd1cf1fe0fcbe3a68

SHA-256:

5c62bf344e81f257ca084181fb0c764dcd43b343fc1790027d2969af8a8dd623

Scanner detections:

29 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/26/2024 5:28:42 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.Agent.NTQ

887

Agnitum Outpost

Adware.Agent

7.1.1

AhnLab V3 Security

Adware/Win32.Agent

2014.09.01

Avira AntiVirus

ADWARE/Adware.Gen7

7.11.170.64

avast!

Win32:PUP-gen [PUP]

140813-1

AVG

Adware Generic5.AKOW

2014.0.4015

Bitdefender

Adware.Agent.NTQ

1.0.20.1220

Clam AntiVirus

Win.Adware.Agent-6642

0.98/19317

Dr.Web

Trojan.Crossrider.31

9.0.1.05190

Emsisoft Anti-Malware

Adware.Agent.NTQ

9.0.0.4324

ESET NOD32

Win32/AdWare.MultiPlug.M application

7.0.302.0

F-Prot

W32/A-0358bd38

v6.4.7.1.166

F-Secure

Adware.Agent.NTQ

11.2014-01-09_2

G Data

Adware.Agent.NTQ

14.9.24

IKARUS anti.virus

AdWare.Agent

t3scan.1.7.5.0

K7 AntiVirus

Adware

13.183.13218

Kaspersky

not-a-virus:WebToolbar.Win32.Cossder

15.0.0.463

Malwarebytes

PUP.Optional.MultiPlug.A

v2014.09.01.04

McAfee

PUP-FDQ

5600.7021

MicroWorld eScan

Adware.Agent.NTQ

15.0.0.732

NANO AntiVirus

Riskware.Win32.Agent.crhhdl

0.28.2.61861

nProtect

Adware.Agent.NTQ

14.08.31.01

Panda Antivirus

Trj/Genetic.gen

14.09.01.04

Reason Heuristics

PUP.Installer.OstapLaponov.J

14.9.1.4

Rising Antivirus

PE:Malware.Adware!6.10E4

23.00.65.14830

Sophos

MultiPlug

4.98

Vba32 AntiVirus

AdWare.MegaSearch

3.12.26.3

VIPRE Antivirus

Threat.4150696

32210

Zillya! Antivirus

Adware.Cossder.Win32.8

2.0.0.1907

File size:

640 KB (655,384 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\addons\ext_setup.exe

Digital Signature

Signed by:

Ostap Laponov

Authority:

COMODO CA Limited

Valid from:

9/9/2013 1:00:00 AM

Valid to:

9/10/2014 12:59:59 AM

Subject:

CN=Ostap Laponov, O=Ostap Laponov, STREET=Minskаya 16, L=Kiev, S=Kiev, PostalCode=04078, C=UA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00EA64F94CDE70375038736C9F1C0960DF

File PE Metadata

Compilation timestamp:

12/2/2013 10:48:22 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:5xh88xhJq3QGZfj03roKjUnmE2nR1uasZDi6IyPylA8H3DSoPBRsZFRyH7LptY:5xhJv/GZrQ7XE2ncZDkyPyl53tPAZFIw

Entry address:

0xF8F7

Entry point:

E8, 38, 3F, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 28, F0, 41, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 2C, F0, 41, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, DC, 07, 00, 00, 85, C0, 75, 06, B8, 90, F1, 41, 00, C3, 83, C0, 08, C3, E8, C9, 07, 00, 00, 85, C0, 75, 06, B8, 94, F1, 41, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08... 
[+]

Code size:

92.5 KB (94,720 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

Remove ext_setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.