» setup-eng-tspls.exe
Overview
Analysis
File Details
Downloads (10)
Network (1)

setup-eng-tspls.exe

Gerogeca

Sivensys SRL

The executable setup-eng-tspls.exe, “Gerogeca Setup ” has been detected as malware by 1 anti-virus scanner. The program is a setup application that uses the Inno Setup installer. The file has been seen being downloaded from www.metafarmvaults.com and multiple other hosts. While running, it connects to the Internet address li185-76.members.linode.com on port 80 using the HTTP protocol.

File name:

setup-eng-tspls.exe

Publisher:

Sivensys SRL (signed and verified)

Product:

Gerogeca

Description:

Gerogeca Setup

MD5:

dc45d86579246219262fb9015b206237

SHA-1:

77153480683a4201c2cc6bd20c8dd699af5802c6

SHA-256:

ffcfccc158de0817798fc0237d2ddc1cd27486fb8fecef005ed5a863eb7112dc

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

5/27/2024 10:42:13 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP (M)

16.12.22.12

File size:

1.3 MB (1,383,344 bytes)

Product version:

1.4

Wizard Internet

File type:

Executable application (Win32 EXE)

Installer:

Inno Setup

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\setup-eng-tspls.exe

Digital Signature

Signed by:

Sivensys SRL

Authority:

GlobalSign nv-sa

Valid from:

10/20/2016 1:34:57 PM

Valid to:

10/21/2017 1:34:57 PM

Subject:

CN=Sivensys SRL, O=Sivensys SRL, L=IASI, C=RO

Issuer:

CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE

Serial number:

0D38E905F0B0BA5733036DFB

File PE Metadata

Compilation timestamp:

6/20/1992 3:52:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0xA5F8

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55... 
[+]

Entropy:

7.9865

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

39.5 KB (40,448 bytes)

The file setup-eng-tspls.exe has been seen being distributed by the following 10 URLs.

http://www.metafarmvaults.com/6F9a6Gvzk2tkM2CaMBMfpNiStZPZjuPUk7FQlN1UcYP6cdLm24SlHvXRy2xLy1sEC9y 8x1JUWTIAHsfFx SxYPHl9ejv_GSawODHiqJ8ZkEThxnZp7M9_ozLGBJjPysW4bH6mSV7yIz_QvmwutqEZyjdUHw7UJCIlWyrCG57Y4MCnYiWO16QR2ji4Fkb4sBbtM84jzL3c4ggQeg1l7b y2zeVNaRw==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

http://www.metafarmvaults.com/SYe8WJTJRZ J Hg2rhl5rb3tbaB6Ia6a e1bPWsYPg_FTZjZ9JY8wyWC5nf T5ybOXnHqlbg_5bAiz2Ts6eqI0jAKHO McP1Rav0ugExLHk2w6pnZIbPNShv n7HoKl6a6NRdFnUu6z3XyzqYZYx7leZUvz8aSl7bT8bD1N8uv6HoASBthVi8SkegxZVEtDiK2GEmdcJByqRcKaS jqjyrEZFlU5_Q==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

http://www.metafarmvaults.com/pelDrHvfILaRiwE3kvIgGZS59t4tZGPiMjGtTRoncuI9psb11rroXCC0uGCKs ew9pjbMT6pWNWkKwasfCOW3i jTomTaMLkSkxjtZ XZR4fAk4K3IQPL06kU0jn358jkL3WbiUAQ14TGjslhemiy9wkXoLk5qIjYj8T118PG D oQMCN8iiJbZ4n zmJDZd86IJtjA1O9Iv0ZHtNn0lbex tYIGz44aE6nLrMwDvF17buoJG1xut13eRcJ8Qp3mT4iA5xBccXjeBKRR17kucZTzSCyEcAHeYFdA8aIybMFWXXH_4MH85k CKi0GN g7e8NUlvUHnJ547vaR1v5BpPrwLhvgbbbQdOX8_4JvKgmNbyj4QeB78i5fGh_U6DH0kgEqpg1XyJdNbm_ZdqSGiVWVkn0Ukdo9GnIzsxhofMkiQmQL5fCNxEnnmVPTnR5gqGgxfLf8 1WlNjmnwQe8jwbbQacv_4jQwTytpdR4NKJpZ8aMIRUQLeQkcGqvaTCw9oO1w64u-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

http://www.metafarmvaults.com/1Lp8fgkPF7O6xDB2jqTmrUTECXqnbkZvZbxp89AZ1MfyMlVcx4VdecGGX5Cf_stBs8NLngso 1Cqjq_buWHUARAvIdT2mL1H4vs8GTDOnP 9 Ok01qVzvQwTJMoEV4cV5MxEvuPfQOR66a0zJkXPq1BUQ1X_kc11_xCyxh_1fNI2bHPqu HzYgVa6K GBeE_ntIHH872F6AlWpXvWqRz E0y4XjRig==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

http://www.metafarmvaults.com/G3TZzGWCbvGqSe1OtiTAa5E3ZR7j2w09CYKQTbsMr4QgLUxToFVgrUb_2c3joHUSBWyyTmj54R5xDb0MW 7JOcedUDF6L_iKGn0rTDuXZfOpZxOWjbD9K53dOf gZj9gE_de3LAeNNGdhBLKZmqqbwFLF73pNFsLo6E_O3Vj1nx0B0kDJs6ReJw4ZBcPqqRDOsuK_6l39bCZbEDKbv003jcUNp1zQ==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

http://www.metafarmvaults.com/AsAq5REty6 v3ZWPDypaa5UjXhvhd7KlSTC_UbcmekkFQnW3SA3FjvnFx6APllerF5P_G oiEwDNtrLipezsYCyQ3cuRgal8FSATgxtCs3WjsNXtU9rWBfa3zAAUpyb9gFYx_t iMLckzt3oEVU5V94T5Syzw_PcVVu9eXmeAOH_X8zjynGgb7mXCDlKB6GWgwbPFTmBN_2NKej8gG9ePgIQzZ6oZw==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

http://www.metafarmvaults.com/ 2Db4p7rodg8e97GogbIW7UlXw rSaBJioOQjZX6s3ohahxFuBOkWy9qnx3aVCu4oNieRz3SPCaJx1lPag6L_68dn39OxYVmo8W QtaC6dPHLirKh9nTj4uy6CtC6mINCwhxmsSNieDghPpDtSHF1qcWH17R4erkTa2Te4KJPmZFId1gqVo1l4LpBgSCxodgfdnlhI_xeBSvSD_2PfLK zz59rdCTTie_rTH ks4xzEp0KcjumswDN2zLRwArqSSRiymWkRnpE ivCqh3rBRMRiUVeWEWHUTcWUR_lMM53Kw kZ3CfGV9bWJd7RzWV6YAIT6S5VptII4j5KSGm__yArC76LkHuMP6IyyE1eIwAiQHdOphKZeIshldq_k9AkGRSx9kzEe8UK_36251 gzlDwIUXGlFpqxhSxpzwF5E014a53CH6bh47cb10qBJU5_3P1n3KykslSNNhWtEgcqIERs88G61_ vktdRzwSe64C_zs_j691XmbwJuryZsGQkv98utJ54-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

http://www.metafarmvaults.com/H8guzorMiTdGXXQXs1 Z33KvTlPFS1tE7NUguwTlDXK _lRlizie6WIWj SROvw9tkgYs90lWdqWVVYgfzObfXcxYyaXz3tDVA7QR1CFEhox yyYZfd aaVZValoR72jwfh3x1h4rsBlSz_VcSkJr0qBjKwnQtsXG8yHsk3Leg1MnEDX_RGoJqUwKv5Y4dK47G5pKVX81yi_bxWUZaEVatzPr14Jig==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

http://www.metafarmvaults.com/ wDmBRB3oEJH6wkHezO5o5XP0AoRk2Wwa1N9FgYs7C5bMA0k1tGQvMtOBMM5hD8jd2nFatsl_S2aYBGHp7iNXX6S9s9feaZM456gECNdtj8jEcHne 05yTdbDNYws M1STofWKTLgiwYHoXoDCdOSt6pUZAfysomZT60S3nvkY4puLkIBY9WgYV9KIkra6egaGkj2_M5eKQ5LYPFdgIQvRLLlTCeFw==-GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

http://www.metafarmvaults.com/mntRgouBp Zq16pFmAqNz26Gxshdg_Guu9Dui8NbZG7rOPH6DPHpTBEPdklQtBZtq8E49hbVmWiaeOEehreoKG6HM6L3y445WyKLM92FkZf NyDHKuw36p_h5mqfkJ7xG8DnIa4ocEZlsIhB VWfXxHpNzAR8_5PIr8N1lHLl3RV5wBl3WDWwegcx7quPIzQOqD9bVd7HsbhidHkC88VPAH6n4hddwGzzwZBIEJFx7z_qwVQHcr63CbkgKBMnAQWI6GHHFYRLzoB9CDS getBS3iYDW FU2T4LFkecwrQa9UNlWA4uZ2nz0WxxU4z8I21El9G0dX2NQIEdkscBLnKWmAJV54wsToWHYhFlw0PQVhpWBUUpu9r1v_BdoSRZLG79hWSz8RDB 7PXXNaoGh1xon09mUgM6jLBYUvERU76PHUfgJmbMqXDsNt39z8rEbsrDjQkUPJp9DR DlMDdRtiH1kNvrniuUIgR4Jj_e528piy8df8pMO7jeNck12lQCOXoI74N -GxQAAKRdxtretCCEFCKK5DqwG4Nvu_EA

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to li185-76.members.linode.com (178.79.129.76:80)

Remove setup-eng-tspls.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.