home

setup.exe

TEHSNABSTROY LLC

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application setup.exe by TEHSNABSTROY has been detected as adware by 41 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The file is most likely infected with the Neshta virus, a Russian virus that gathers system information and send it to a remote command and cotrol server. The file has been seen being downloaded from www.generaldownload.com and multiple other hosts.
Publisher:
TEHSNABSTROY LLC  (signed and verified)

Version:
1.1.5.27

MD5:
41da04f7b69d02a6b60f5726dccf3051

SHA-1:
8154d89d908904092c4ecef55bde91b5d593799d

SHA-256:
6229e0b97af9c883eef28cfb0e68db772c57ad2810f996a0e0f243067bbbc045

Scanner detections:
41 / 68

Status:
Adware

Explanation:
Infected with the direct-infection Neshta file infector virus.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/19/2024 7:03:49 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Neshta.C
904

Agnitum Outpost
Win32.Neshta.A
7.1.1

AhnLab V3 Security
Win32/Neshta
2013.08.22

Avira AntiVirus
W32/Neshta.a
7.11.30.172

avast!
Win32:Apanas [Trj]
2014.9-141029

AVG
Worm/Delf
2015.0.3383

Baidu Antivirus
Virus.Win32.Neshta.$a
4.0.3.141029

Bitdefender
Win32.Neshta.A
1.0.20.1135

Bkav FE
W32.HanGu.PE
1.3.0.4959

Clam AntiVirus
W32.Neshuta.A
0.98/19283

Comodo Security
Win32.Neshta.A
16801

Dr.Web
Win32.HLLP.Neshta
9.0.1.0226

Emsisoft Anti-Malware
Win32.Neshta
8.14.08.15.01

ESET NOD32
Win32/Neshta.A virus
8.7.0.302.0

Fortinet FortiGate
W32/Neshta.A
10/29/2014

F-Prot
W32/HLLP.41472
v6.4.6.5.141

F-Secure
Win32.Neshta.A
11.2014-15-08_6

G Data
Win32.Neshta
14.8.22

IKARUS anti.virus
Virus.Win32.Neshta
t3scan.2.0.127

K7 AntiVirus
Virus
13.170.9337

Kaspersky
Virus.Win32.Neshta
14.0.0.3408

Malwarebytes
Trojan.Agent
v2014.08.14.07

McAfee
W32/HLLP.41472.e
5600.7038

Microsoft Security Essentials
Virus:Win32/Neshta.A
1.163.1557.0

MicroWorld eScan
Win32.Neshta.A
15.0.0.681

NANO AntiVirus
Virus.Win32.Neshta.cdby
0.26.0.53954

Norman
Neshta.C
11.20141029

nProtect
Virus/W32.Neshta
13.08.21.03

Panda Antivirus
W32/Neshta.A
14.08.15.01

Qihoo 360 Security
Virus.Win32.Neshta.B
1.0.0.1015

Quick Heal
W32.Neshta.A
10.14.12.00

Reason Heuristics
PUP.Installer.TEHSNABSTROY.F
14.8.14.7

Rising Antivirus
Win32.Netsha.a
23.00.65.141027

Sophos
W32/Bloat-A
4.91

SUPERAntiSpyware
Trojan.Agent/Gen-FlyStudio
10271

Total Defense
Win32/Neshta.A
37.0.10498

Trend Micro House Call
PE_NESHTA.A
7.2.302

Trend Micro
PE_NESHTA.A
10.465.29

Vba32 AntiVirus
Virus.Win32.Neshta.a
3.12.22.3

VIPRE Antivirus
Virus.Win32.Neshta.a
20730

ViRobot
Win32.Neshta.B
2011.4.7.4223

File size:
440.1 KB (450,632 bytes)

Product version:
1.1.5.27

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup

Language:
English (United States)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
TEHSNABSTROY LLC

Authority:
COMODO CA Limited

Valid from:
6/18/2014 5:00:00 PM

Valid to:
6/19/2015 4:59:59 PM

Subject:
CN=TEHSNABSTROY LLC, O=TEHSNABSTROY LLC, STREET="UL. NIKOLYAMSKAYA, 9", L=G. MOSKVA, S=G. MOSKVA, PostalCode=109240, C=RU

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F4B1A67457808CFF0300CD93C4050F05

File PE Metadata
Compilation timestamp:
8/8/2014 8:14:44 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:hVV0zJWDkTOQCn5Ax6TyQ5bstXDhpHaw3s4i38CdfM:dwTTAcOyZtXD+w3sL3ndfM

Entry address:
0x10FBF

Entry point:
E8, E2, 56, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 3C, 4E, 3A, 00, 00, 75, 18, E8, F5, 2E, 00, 00, 6A, 1E, E8, 3F, 2D, 00, 00, 68, FF, 00, 00, 00, E8, 37, F3, FF, FF, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 3C, 4E, 3A...
 
[+]

Entropy:
7.6158

Code size:
100.5 KB (102,912 bytes)

The file setup.exe has been seen being distributed by the following 14 URLs.

http://www.generaldownload.com/download.php?version=1.1.5.27&ti1=p191.ar.1.results.100814176ed613&ti2=10615354617&campid=2299&instid[appname]=Download Manager&instid[appsetupurl]=http://link.wdownloadmanager.com/?url=&ref=&name=DownloadFileSetup&source=xs&instid[cmdline]=&instid[appimageurl]=http://.../dl.png&prefix=File.Download&instid[thankyoupage]=

http://www.generaldownload.com/download.php?version=1.1.5.27&ti1=p191.oc203.39075.203.0008141eb35f14&ti2=10617725106&campid=2299&instid[appname]=Download Manager&instid[appsetupurl]=http://link.wdownloadmanager.com/?url=&ref=&name=DownloadFileSetup&source=xs&instid[cmdline]=&instid[appimageurl]=http://.../dl.png&prefix=DownloadFileSetup&instid[thankyoupage]=

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9740776159

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9526076936

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9523833669

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9512766667

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9475074886

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9475072244

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9425026806

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9425010684

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9425004383

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9323633893

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9320763450

http://dl-gate.net/?id=p191&sub=ar&name=File.Download&nor=1&subid=9305893589

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.