home

s2setup.exe

Skymonk Solutions Limited

The application s2setup.exe by Skymonk Solutions Limited has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from update.skymonk.net.
Publisher:
Skymonk Solutions Limited  (signed and verified)

MD5:
3404b9b5c82363fbfa91aedf33bf2158

SHA-1:
d157f39860419374429b81719b3081e04e25c1e1

SHA-256:
d3989cc31733d2de1700bcdf6933d14f4be160573b5dfc32f13f682a20ee6f14

Scanner detections:
21 / 68

Status:
Adware

Analysis date:
4/24/2024 3:05:15 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1809245
894

Baidu Antivirus
PUA.Win32.bmMedia
4.0.3.14824

Bitdefender
Trojan.GenericKD.1809245
1.0.20.1180

Clam AntiVirus
Win.Trojan.Generickd-368
0.98/21411

Dr.Web
Adware.Downware.3944
9.0.1.0236

Emsisoft Anti-Malware
Trojan.GenericKD.1809245
8.14.08.24.02

ESET NOD32
Win32/bmMedia (variant)
8.10300

Fortinet FortiGate
Riskware/BmMedia
8/24/2014

F-Secure
Trojan.GenericKD.1809245
11.2014-24-08_1

G Data
Trojan.GenericKD.1809245
14.8.24

K7 AntiVirus
Trojan
13.183.13139

MicroWorld eScan
Trojan.GenericKD.1809245
15.0.0.708

nProtect
Trojan.GenericKD.1809245
14.08.22.01

Reason Heuristics
PUP.Installer.SkymonkSolutionsLimited.H
14.8.24.14

Sophos
Generic PUA PM
4.98

Trend Micro House Call
Suspicious_GEN.F47V0816
7.2.236

File size:
1.2 MB (1,243,440 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\s2setup.exe

Digital Signature
Signed by:
Skymonk Solutions Limited

Authority:
VeriSign, Inc.

Valid from:
4/9/2012 4:00:00 AM

Valid to:
4/10/2015 3:59:59 AM

Subject:
CN=Skymonk Solutions Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Skymonk Solutions Limited, L=Tortola, S=Tortola, C=VG

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
632A5F301191DF03C4933D982BAD525F

File PE Metadata
Compilation timestamp:
11/27/2013 10:18:53 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:OA8K7nJxTT8XgvID7xxvyH1d5oXiG4HGkshzShi9MWtyYcgb9B:pFWgm1Md5oXR4HGjolWtVT

Entry address:
0x38DA

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 0D, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, EF, 26, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, DD, 26, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
28.5 KB (29,184 bytes)

The file s2setup.exe has been seen being distributed by the following URL.

http://update.skymonk.net/.../s2_ru_b_op.exe

Remove s2setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.