» setup.exe
Overview
Analysis
File Details
Network (2)

setup.exe

channel modern or and

Andrey Globin

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application setup.exe by Andrey Globin has been detected as adware by 31 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.

File name:

setup.exe

Publisher:

is of (signed by Andrey Globin)

Product:

channel modern or and

Version:

0.2.0.0

MD5:

ebeb37699e7f83f0a952bfdab9cd68b7

SHA-1:

6de4765e00582b6385a2c44913a51a5c2e2c9efb

SHA-256:

e8164d01c7dad493a5b10eedfdc684228bf2b5af0abf5587a249abea1e77d823

Scanner detections:

31 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/18/2024 10:52:35 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Dropper.103

826

Agnitum Outpost

PUA.MultiPlug

7.1.1

AhnLab V3 Security

PUP/Win32.Adware

2014.11.01

Avira AntiVirus

TR/Graftor.141601.A

7.11.182.172

avast!

Win32:MultiPlug-AZ [PUP]

2014.9-141101

AVG

Generic_r

2015.0.3304

Bitdefender

Gen:Variant.Adware.Dropper.103

1.0.20.1525

Clam AntiVirus

Win.Adware.Agent-6737

0.98/21411

Comodo Security

Application.Win32.Multiplug.GETF

19960

Dr.Web

Trojan.Crossrider.17103

9.0.1.0305

Emsisoft Anti-Malware

Gen:Variant.Adware.Dropper.103

8.14.11.01.03

ESET NOD32

Win32/AdWare.MultiPlug (variant)

8.10653

Fortinet FortiGate

Riskware/Generic.AC.1814531

11/1/2014

F-Prot

W32/A-f028759e

v6.4.7.1.166

F-Secure

Gen:Variant.Adware.Dropper.103

11.2014-01-11_7

G Data

Gen:Variant.Adware.Dropper.103

14.11.24

IKARUS anti.virus

Trojan.Graftor

t3scan.1.8.3.0

K7 AntiVirus

Adware

13.185.13866

Kaspersky

not-a-virus:HEUR:AdWare.Win32.Agent

14.0.0.3014

Malwarebytes

PUP.Optional.MultiPlug

v2014.11.01.03

McAfee

PUP-FIC

5600.6960

MicroWorld eScan

Gen:Variant.Adware.Dropper.103

15.0.0.915

NANO AntiVirus

Riskware.Win32.Agent.cxvuow

0.28.6.62995

Qihoo 360 Security

Malware.QVM10.Gen

1.0.0.1015

Quick Heal

AdWare.MultiPlag.ace

11.14.14.00

Reason Heuristics

PUP.Installer.AndreyGlobin.F

14.10.31.21

Rising Antivirus

PE:Malware.MultiPlug!6.13CF

23.00.65.141030

Sophos

MultiPlug

4.98

Vba32 AntiVirus

AdWare.Win64.MultiPlag

3.12.26.3

VIPRE Antivirus

Trojan.Win32.Generic

34424

Zillya! Antivirus

Backdoor.PePatch.Win32.38083

2.0.0.1973

File size:

2 MB (2,112,696 bytes)

Product version:

0.2.0.0

Original file name:

if reports databases

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Language:

English (United Kingdom)

Common path:

C:\windows\syswow64\setup.exe

Digital Signature

Signed by:

Andrey Globin

Authority:

COMODO CA Limited

Valid from:

9/17/2013 8:00:00 PM

Valid to:

9/18/2014 7:59:59 PM

Subject:

CN=Andrey Globin, O=Andrey Globin, STREET=Gagarina 4, L=Kiev, S=Kiev, PostalCode=02094, C=UA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

6534084D6A4B724011508EF1B5AD13D6

File PE Metadata

Compilation timestamp:

5/12/2014 3:12:34 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:crZQ4/oDjlRxhUACX+Nvo6yj7MdUh7Aq04ksBEpcmHYU+:thUAo+Rsf7Aqlb+cmO

Entry address:

0x108BB

Entry point:

E8, CE, 49, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 30, 21, 42, 00, E8, AF, 20, 00, 00, E8, E0, 07, 00, 00, 0F, B7, F0, 6A, 02, E8, 61, 49, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 20, 37, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.9366 (probably packed)

Code size:

103 KB (105,472 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

TCP (HTTP):

Connects to c1.stylezip.info (54.186.255.26:80)

http://c1.stylezip.info/?step_id=1&installer_id=12808846&publisher_id=280&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=38426538&external_id=0&session_id=76853076&hardware_id=89661922&installer_file_name=setup

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.