» setup.exe
Overview
Analysis
File Details
Network (1)

setup.exe

built-in so

Sergiy Maratov

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application setup.exe by Sergiy Maratov has been detected as adware by 40 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.

File name:

setup.exe

Publisher:

responsible a the (signed by Sergiy Maratov)

Product:

built-in so

Version:

9.4.0.0

MD5:

9aa89b37c8dae7c2cda518b899f2aa99

SHA-1:

6d04991545a29d7452003f82b6e5abd3feeedbcc

SHA-256:

39ebaeae7cc59ce25e971533678d3949c304521fa4d3b0a27bea72e0563665ef

Scanner detections:

40 / 68

Status:

Adware

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/25/2024 4:34:42 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Sality.3

867

Agnitum Outpost

Win32.Sality.BL

7.1.1

AhnLab V3 Security

Win32/Kashu.E

2014.07.08

Avira AntiVirus

W32/Sality.AT

7.11.30.172

avast!

Win32:PUP-gen [PUP]

140908-2

AVG

Adware Generic5.BBEK

2014.0.4015

Baidu Antivirus

Virus.Win32.Sality.$Emu

4.0.3.14920

Bitdefender

Win32.Sality.3

1.0.20.1315

Bkav FE

W32.Sality.PE

1.3.0.4959

Clam AntiVirus

Win.Adware.Dropper-7

0.98/19410

Comodo Security

Virus.Win32.Sality.Gen

18804

Dr.Web

Trojan.WebPick.2753

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Adware.Dropper.103

14.09.20

ESET NOD32

Win32/AdWare.MultiPlug.AP application

7.0.302.0

F-Prot

W32/Sality.gen2

v6.4.6.5.141

F-Secure

Win32.Sality.3

11.2014-20-09_7

G Data

Win32.Sality

14.9.24

IKARUS anti.virus

PUP.InstallRex

t3scan.1.6.1.0

K7 AntiVirus

Virus

13.180.12643

Kaspersky

Virus.Win32.Sality

14.0.0.3221

Malwarebytes

PUP.Optional.MultiPlug.A

v2014.09.20.08

McAfee

W32/Sality.gen.z

5600.7001

Microsoft Security Essentials

Threat.Undefined

1.177.1852.0

MicroWorld eScan

Win32.Sality.3

15.0.0.789

NANO AntiVirus

Virus.Win32.Sality.beygb

0.28.0.60698

Norman

Sality.ZHB

11.20140920

nProtect

Virus/W32.Sality.D

14.07.07.01

Panda Antivirus

W32/Sality.AA

14.09.20.08

Qihoo 360 Security

Malware.QVM19.Gen

1.0.0.1015

Quick Heal

W32.Sality.U

9.14.14.00

Reason Heuristics

PUP.Installer.SergiyMaratov.F

14.9.20.20

Rising Antivirus

PE:Win32.KUKU.kt!1591113

23.00.65.14918

Sophos

Mal/Sality-D

4.98

Total Defense

Win32/Sality.AA

37.0.11046

Trend Micro House Call

PE_SALITY.RL

7.2.263

Trend Micro

PE_SALITY.RL

10.465.20

Vba32 AntiVirus

Virus.Win32.Sality.bakc

3.12.26.3

VIPRE Antivirus

Threat.4721115

29708

ViRobot

Win32.Sality.N

2011.4.7.4223

Zillya! Antivirus

Virus.Sality.Win32.20

2.0.0.1850

File size:

1.9 MB (2,002,792 bytes)

Product version:

9.4.0.0

Original file name:

even are a programs multiple

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Language:

English (United States)

Common path:

C:\Program Files\ccleaner\setup.exe

Digital Signature

Signed by:

Sergiy Maratov

Authority:

Unizeto Technologies S.A.

Valid from:

6/24/2014 2:43:54 AM

Valid to:

6/24/2015 2:43:54 AM

Subject:

E=SergiyIvanovich@hotmail.com, CN=Sergiy Maratov, O=Sergiy Maratov, C=RU

Issuer:

CN=Certum Code Signing CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:

774A5B60838D600A3706CAB0BC5A6286

File PE Metadata

Compilation timestamp:

7/18/2014 11:12:09 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:SS1KIKDRJFdbh2Uw96Lczp/MHIPL4yUJZS6Ibe7EiMlL:s1JFWUFAF/WIPLZUvS6Ib+M5

Entry address:

0x18C5B

Entry point:

E8, 87, 7C, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, D8, EE, 42, 00, E8, 6F, 0D, 00, 00, E8, A2, 03, 00, 00, 0F, B7, F0, 6A, 02, E8, 1A, 7C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, C3, 45, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.9292 (probably packed)

Code size:

141 KB (144,384 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.