» setup.exe
Overview
Analysis
File Details
Network (3)

setup.exe

Setup Module

Babylon Software

This is part of the Babylon web browser toolbar and extension that will modify the browser's default search provider, DNS, and home page functions. The application setup.exe, “Setup Application” by Babylon Software has been detected as adware by 20 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address ba-sh-nl-dc1-008.babsft.com on port 80 using the HTTP protocol.

File name:

setup.exe

Publisher:

Babylon Ltd. (signed by Babylon Software)

Product:

Setup Module

Description:

Setup Application

Version:

9.1.4.4

MD5:

85c8da54f43b2a737e91fa6f6f5acddb

SHA-1:

35d528132ba214258a287795a83e27470a75818d

SHA-256:

b69ee480b6d0b5087502f4a22734e2e9ba7617520c57c7f17ef19a113669420e

Scanner detections:

20 / 68

Status:

Adware

Explanation:

The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:

5/25/2024 7:57:51 PM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

Win32/Kashu.E

2014.07.24

avast!

Win32:Kukacka

2014.9-150426

Baidu Antivirus

Adware.Win32.Bbylon

4.0.3.15422

Bkav FE

W32.Clod2b6.Trojan

1.3.0.4562

Comodo Security

Application.Win32.Babylon.id

17372

Dr.Web

Adware.Searcher.2766

9.0.1.0112

ESET NOD32

Win32/Toolbar.Babylon.AD potentially unwanted (variant)

9.11417

Fortinet FortiGate

Riskware/Babylon

4/22/2015

K7 AntiVirus

Virus

13.181.12819

Malwarebytes

PUP.Optional.Babylon.A

v2015.04.26.04

Microsoft Security Essentials

Threat.Undefined

1.179.842.0

Norman

Sality.ZHB

11.20150426

Qihoo 360 Security

Malware.QVM19.Gen

1.0.0.1015

Reason Heuristics

Threat.Babylon.Installer

15.4.22.12

Rising Antivirus

PE:Win32.KUKU.kj!1522176

23.00.65.15424

SUPERAntiSpyware

Trojan.Agent/Gen-Nullo[Short]

9912

Trend Micro House Call

Suspicious_GEN.F47V0208

7.2.112

Trend Micro

PE_SALITY.RL

10.465.26

Vba32 AntiVirus

suspected of Trojan.Downloader.gen

3.12.24.3

VIPRE Antivirus

Threat.4721115

31208

File size:

1.2 MB (1,227,096 bytes)

Product version:

9.1.4.4

Original file name:

Setup32.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe

Digital Signature

Signed by:

Babylon Software

Authority:

VeriSign, Inc.

Valid from:

12/8/2014 1:00:00 AM

Valid to:

12/8/2016 12:59:59 AM

Subject:

CN=Babylon Software, O=Babylon Software, L=Or Yehuda, S=Tel Aviv, C=IL

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

7B8E754BED548B30647F4329D78D3F91

File PE Metadata

Compilation timestamp:

7/22/2014 9:16:10 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:IJkL7NDu5/XP5DpzeinBODc734CIyUXKfUlLvE:IJk/N65X5KcbIpXKfgzE

Entry address:

0x697DF

Entry point:

E8, B6, C0, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 00, 8E, 4B, 00, E8, CB, FB, FF, FF, E8, 11, 2E, 00, 00, 0F, B7, F0, 6A, 02, E8, 49, C0, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, FB, 35, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Code size:

562 KB (575,488 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to singhop0014.babylon.com (96.127.151.131:80)

TCP (HTTP):

Connects to DedLoadLM2200.babylon.com (184.154.27.232:80)

TCP (HTTP):

Connects to ba-sh-nl-dc1-008.babsft.com (198.20.106.236:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.