» setup.exe
Overview
Analysis
File Details
Network (3)

setup.exe

Setup Module

Visual Tools

The application setup.exe, “Setup Application” by Visual Tools has been detected as adware by 20 anti-malware scanners. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address singhop0012.babylon.com on port 80 using the HTTP protocol.

File name:

setup.exe

Publisher:

Babylon Ltd. (signed by Visual Tools)

Product:

Setup Module

Description:

Setup Application

Version:

9.1.4.7

MD5:

de3ac9a7165e4060c97071d1915a2e10

SHA-1:

2d0329aa862b2b6e316d9fe699c1b265973274ba

SHA-256:

3e730c6e922264d5722c1add515b5fea49b88ffa86c5f194d19bfa95f78652f5

Scanner detections:

20 / 68

Status:

Adware

Analysis date:

4/24/2024 9:28:48 AM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

Win32/Kashu.E

2014.07.24

avast!

Win32:Kukacka

2014.9-141022

Baidu Antivirus

Adware.Win32.Bbylon

4.0.3.141022

Bkav FE

W32.Clod2b6.Trojan

1.3.0.4562

Clam AntiVirus

WIN.Worm.Brontok

0.98/18355

Comodo Security

Application.Win32.Babylon.id

17372

Dr.Web

Trojan.StartPage.56734

9.0.1.0295

ESET NOD32

Win32/Toolbar.Babylon (variant)

8.9027

K7 AntiVirus

Virus

13.181.12819

Malwarebytes

PUP.Optional.Babylon.A

v2014.10.22.01

Microsoft Security Essentials

Threat.Undefined

1.179.842.0

Norman

Sality.ZHB

11.20141022

Qihoo 360 Security

Malware.QVM19.Gen

1.0.0.1015

Reason Heuristics

PUP.Installer.VisualTools.F

14.10.22.1

Rising Antivirus

PE:Win32.KUKU.kj!1522176

23.00.65.141020

SUPERAntiSpyware

Trojan.Agent/Gen-Nullo[Short]

10285

Trend Micro House Call

TROJ_GEN.F47V0927

7.2.295

Trend Micro

PE_SALITY.RL

10.465.22

Vba32 AntiVirus

suspected of Trojan.Downloader.gen

3.12.24.3

VIPRE Antivirus

Threat.4721115

31208

File size:

1.2 MB (1,280,576 bytes)

Product version:

9.1.4.7

Original file name:

Setup32.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\latest\setup.exe

Digital Signature

Signed by:

Visual Tools

Authority:

Thawte, Inc.

Valid from:

1/9/2013 7:00:00 PM

Valid to:

1/10/2015 6:59:59 PM

Subject:

CN=Visual Tools, O=Visual Tools, L=Belgrade, S=Serbia, C=RS

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

789958B0264F06055619270074AFA61F

File PE Metadata

Compilation timestamp:

10/6/2014 7:42:17 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:8kqhDUsh0Z1DfEc0HYBSRZpTYtSKyilHwwkc9xIEV:8kqGe0j0cS3RYJXlHwwkaxIEV

Entry address:

0x6D74F

Entry point:

E8, F6, C3, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 30, 54, 4C, 00, E8, CB, FB, FF, FF, E8, 50, 31, 00, 00, 0F, B7, F0, 6A, 02, E8, 89, C3, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 3C, 39, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

5.7644

Code size:

587 KB (601,088 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to DedLoadLM2200.babylon.com (184.154.27.232:80)

TCP (HTTP):

Connects to singhop0012.babylon.com (173.236.48.139:80)

TCP (HTTP):

Connects to ba-sh-us-dc3-005.babylon.com (198.143.175.67:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.