home

setup.exe

Amigo Installer

Mail.Ru LLC

The application setup.exe by Mail.Ru has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. While running, it connects to the Internet address amigo.mail.ru on port 80 using the HTTP protocol.
Publisher:
Mail.Ru  (signed by Mail.Ru LLC)

Product:
Amigo Installer

Version:
54.0.2840.191

MD5:
9da6869395a610d88e99076c56c93ef4

SHA-1:
67a8920ec2efd35e25be1b6b0418a3dcec46ce4d

SHA-256:
1c5474e977fa16aaf00ccc83bb6b504106383964fe123c6e1b362f349129d1dd

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
4/30/2024 2:04:51 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Amigo (L)
17.2.15.14

File size:
1.3 MB (1,332,952 bytes)

Product version:
54.0.2840.191

Copyright:
Copyright 2016 The Chromium Authors. All rights reserved.

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe

Digital Signature
Signed by:
Mail.Ru LLC

Authority:
Thawte, Inc.

Valid from:
8/6/2015 5:00:00 AM

Valid to:
8/6/2017 4:59:59 AM

Subject:
CN=Mail.Ru LLC, O=Mail.Ru LLC, L=Moscow, S=Moscow, C=RU

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
46946F32338A79AED5D30FEACE24618C

File PE Metadata
Compilation timestamp:
2/15/2017 2:59:23 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

Entry address:
0xB2A3A

Entry point:
E8, 8C, 0A, 00, 00, E9, 8E, FE, FF, FF, 55, 8B, EC, 6A, FF, 68, 4E, 62, 4E, 00, 64, A1, 00, 00, 00, 00, 50, 51, 53, 56, 57, A1, 54, D2, 50, 00, 33, C5, 50, 8D, 45, F4, 64, A3, 00, 00, 00, 00, 89, 65, F0, FF, 75, 08, 83, 65, FC, 00, E8, 5A, F6, FF, FF, 59, EB, 08, B8, 82, 2A, 4B, 00, C3, 33, C0, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5E, 5B, 8B, E5, 5D, C3, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 80, F9, 40, 73, 15, 80, F9, 20, 73, 06, 0F, AD, D0, D3, EA, C3, 8B, C2, 33, D2, 80, E1, 1F, D3, E8, C3...
 
[+]

Code size:
917 KB (939,008 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to amigo.mail.ru  (217.69.139.252:80)

TCP (HTTP):
Connects to ip-172-26-136-19.ec2.internal  (172.26.136.19:80)

TCP (HTTP):
Connects to ec2-54-171-243-238.eu-west-1.compute.amazonaws.com  (54.171.243.238:80)

TCP (HTTP):
Connects to app-gw2.argonlabs.ru  (178.33.195.199:80)

TCP (HTTP SSL):
Connects to antizapret.prostovpn.org  (195.123.209.38:443)

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.