home

setup.exe

Creative Apps

This is the installer application for a 50onRed advertising supported software package (displays ads in the browser and may hijack the home and search pages of the web browser). The application setup.exe by Creative Apps has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from d3toubmszw6uyc.cloudfront.net and multiple other hosts.
Publisher:
Creative Apps  (signed and verified)

MD5:
35522713a9de23fac0dae876f34244c8

SHA-1:
36b0dd972f60d98e88348702ff04d97edfe56e15

SHA-256:
8cc3bcc0045f8a7048e250596d41bdce8ef6e6ab2c7be47c67fb2a1618c5eea9

Scanner detections:
12 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
4/18/2024 11:25:01 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

AVG
SmartShopper.G
2015.0.3513

Bkav FE
W32.Clod8f9.Trojan
1.3.0.4959

Dr.Web
Adware.Allgo.9
9.0.1.095

ESET NOD32
Win32/Toolbar.CrossRider
8.9488

Fortinet FortiGate
W32/Toolbar_CrossRider.C
4/5/2014

K7 AntiVirus
Unwanted-Program
13.176.11302

McAfee
Artemis!35522713A9DE
5600.7169

NANO AntiVirus
Trojan.Win32.Plugin.cqzpgj
0.28.0.58101

Reason Heuristics
PUP.Installer.CreativeApps.F
14.8.7.17

Sophos
Generic PUA AK
4.98

Trend Micro House Call
TROJ_GEN.R0CBH05AE14
7.2.95

VIPRE Antivirus
Adware.Crossid
26960

File size:
1 MB (1,050,976 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
Creative Apps

Authority:
Thawte, Inc.

Valid from:
1/8/2013 6:00:00 PM

Valid to:
1/9/2014 5:59:59 PM

Subject:
CN=Creative Apps, O=Creative Apps, L=Philadelphia, S=Pennsylvania, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
22397CD0CA2975EF0A4A189BEBD89D08

File PE Metadata
Compilation timestamp:
6/6/2009 4:41:59 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:ts5CNcxMxAVyn59V2ow+qeMVgRy5nL3ZI4QO:KicxGAVOcfmKgRy97m43

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
6.4455

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file setup.exe has been seen being distributed by the following 10 URLs.

http://d3toubmszw6uyc.cloudfront.net/.../setup.exe

http://d1zm8b13bwhzna.cloudfront.net/.../setup.exe

http://dxjdrfp7expql.cloudfront.net/.../setup.exe

http://d2kinzp2wsrpl0.cloudfront.net/.../setup.exe

http://d20ksoezlidcx4.cloudfront.net/.../setup.exe

http://defgu40nkfh70.cloudfront.net/.../setup.exe

http://d1q9ehwy8goxc3.cloudfront.net/.../setup.exe

http://d2siga5zwdgs6u.cloudfront.net/.../setup.exe

http://d13a5ifzas6rye.cloudfront.net/.../setup.exe

http://d1l6rrk9oa8tf9.cloudfront.net/.../setup.exe

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.