home

ext_setup.exe

Pavel KRASNOV

This installer (utilizes the InstalleRex from WebPick) is designed to bundle additional software offerings such as adware and malware, mostly web browser extensions in the download manager, with minimal user consent. In most cases the setup process will install a browser extension for IE, Chrome and Firefox by default. The application ext_setup.exe by Pavel KRASNOV has been detected as adware by 27 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address dl.softservers.net on port 80 using the HTTP protocol.
Publisher:
Pavel KRASNOV  (signed and verified)

MD5:
95521172ba5edf5c737eb37b14ccb8f7

SHA-1:
bad08c63f25149a21b5f9004dbb99e586db7fb9b

SHA-256:
b39363ac1f21b080587d7815ec5711fb9982ebc39c779a0b2c821defb8b00598

Scanner detections:
27 / 68

Status:
Adware

Explanation:
Bundles additional adware offers in the installer/setup process.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/19/2024 10:05:04 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Dropper.101
922

Agnitum Outpost
PUA.MultiPlug
7.1.1

Avira AntiVirus
ADWARE/Adware.Gen
7.11.164.52

avast!
Win32:PUP-gen [PUP]
140617-1

AVG
Adware Generic5.AMTA
2014.0.3986

Bitdefender
Gen:Variant.Adware.Dropper.101
1.0.20.1045

Clam AntiVirus
Win.Adware.Dropper-3
0.98/19185

Comodo Security
Application.Win32.Multiplug.GETF
18997

Dr.Web
Trojan.MulDrop5.7854
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Adware.Dropper.101
8.14.07.28.12

ESET NOD32
Win32/AdWare.MultiPlug.R application
7.0.302.0

F-Prot
W32/A-39fd378d
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.Dropper.101
11.2014-28-07_2

G Data
Gen:Variant.Adware.Dropper.101
14.7.24

IKARUS anti.virus
Virus.Script
t3scan.1.6.1.0

K7 AntiVirus
Adware
13.181.12846

Malwarebytes
PUP.Optional.Installrex
v2014.07.28.12

McAfee
PUP-FEI
5600.7056

MicroWorld eScan
Gen:Variant.Adware.Dropper.101
15.0.0.627

NANO AntiVirus
Riskware.Win32.MegaSearch.csvfny
0.28.2.60990

Panda Antivirus
Trj/Genetic.gen
14.07.28.12

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.PavelKRASNOV.J
14.7.27.23

Rising Antivirus
PE:Malware.Adware!6.1277
23.00.65.14726

Sophos
MultiPlug
4.98

Vba32 AntiVirus
Adware.MegaSearch
3.12.26.3

VIPRE Antivirus
Threat.4786450
31208

File size:
1.5 MB (1,540,600 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
WebPick InstalleRex

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\addons\ext_setup.exe

Digital Signature
Signed by:
Pavel KRASNOV

Authority:
Unizeto Technologies S.A.

Valid from:
1/17/2014 1:46:29 AM

Valid to:
1/17/2015 1:46:29 AM

Subject:
E=pavel0125@hotmail.com, CN="Open Source Developer, Pavel KRASNOV", O=Pavel KRASNOV, C=RU

Issuer:
CN=Certum Level III CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:
145B82E22CCF1D1A2268198D76B51075

File PE Metadata
Compilation timestamp:
1/27/2014 4:38:36 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:2pD4YZM2nzEWfU7lzFTv6jVnSMXjD5hfK1Y8HEZYl7Las9PF7jOC8hFqdzHZrlIS:q4YZJnzEBRF76N3Xf/wLw+J5jLrljL

Entry address:
0xE3DB

Entry point:
E8, 7E, 44, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, C8, ED, 41, 00, E8, DF, 12, 00, 00, E8, CB, 0F, 00, 00, 0F, B7, F0, 6A, 02, E8, 11, 44, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 96, 01, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
7.9270  (probably packed)

Code size:
89 KB (91,136 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to i1.stylefun.info  (198.7.61.118:80)

TCP (HTTP):
Connects to dl.softservers.net  (184.154.145.171:80)

TCP (HTTP):
Connects to c1.getapplicationmy.info  (54.201.215.30:80)

Remove ext_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.