home

setup.exe

Sergei Ivanovich Drozdov

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application setup.exe by Sergei Ivanovich Drozdov has been detected as adware by 23 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.
Publisher:
Sergei Ivanovich Drozdov  (signed and verified)

MD5:
663d1e6b38715d2da795f145b1492bbe

SHA-1:
8d5d1c4769d5cd3b8d98027940dd4d66d00ef815

SHA-256:
bdec322f0e223875dd4b3892a032430f2ef8da798fb33cae42f287d6110618ac

Scanner detections:
23 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/25/2024 8:53:38 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Dropper.101
1022

AhnLab V3 Security
Trojan/Win32.Agent
14.04.19

Avira AntiVirus
ADWARE/Adware.Gen7
7.11.144.64

avast!
Win32:MultiPlug-AI [PUP]
2014.9-140419

AVG
Generic_r
2015.0.3500

Bitdefender
Gen:Variant.Adware.Dropper.101
1.0.20.545

Comodo Security
Application.Win32.Multiplug.R
18128

Dr.Web
Trojan.Crossrider.4243
9.0.1.0109

Emsisoft Anti-Malware
Gen:Variant.Adware.Dropper.101
8.14.04.19.01

ESET NOD32
Win32/AdWare.MultiPlug (variant)
8.9698

F-Secure
Gen:Variant.Adware.Dropper.101
11.2014-19-04_7

G Data
Gen:Variant.Adware.Dropper.101
14.4.24

IKARUS anti.virus
Win32.SuspectCrc
t3scan.1.6.1.0

Kaspersky
not-a-virus:AdWare.Win32.MultiPlug
14.0.0.3995

Malwarebytes
PUP.Optional.MultiPlug.A
v2014.04.19.01

McAfee
PUP-FID!663D1E6B3871
5600.7156

MicroWorld eScan
Gen:Variant.Adware.Dropper.101
15.0.0.327

NANO AntiVirus
Trojan.Win32.Crossrider.cuwgpc
0.28.0.59288

Panda Antivirus
Trj/Genetic.gen
14.04.19.01

Reason Heuristics
PUP.Installer.SergeiIvanovichDrozdov.F
14.4.18.19

Rising Antivirus
PE:Malware.MultiPlug!6.13CF
23.00.65.14417

Sophos
MultiPlug
4.98

VIPRE Antivirus
Trojan.Win32.Generic
28384

File size:
1.5 MB (1,615,432 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
WebPick InstalleRex

Common path:
C:\windows\syswow64\setup.exe

Digital Signature
Signed by:
Sergei Ivanovich Drozdov

Authority:
Unizeto Technologies S.A.

Valid from:
1/8/2014 2:24:34 AM

Valid to:
1/8/2015 2:24:34 AM

Subject:
E=drozdov54@hotmail.com, CN="Open Source Developer, Sergei Ivanovich Drozdov", OU=Sedro Soft, O=Sergei Ivanovich Drozdov, C=RU

Issuer:
CN=Certum Level III CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:
4E05AFB21C1318DB8A2C0669760C9050

File PE Metadata
Compilation timestamp:
3/3/2014 6:30:11 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
49152:YZpaqE9rEHgXWYV4y2lNNDVIPdp/twXhEBBNOk0m:bqE9IuWYV4XNNpGdp/OkBkNm

Entry address:
0x109DB

Entry point:
E8, 4E, 4A, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, E0, 21, 42, 00, E8, 2F, 21, 00, 00, E8, E0, 07, 00, 00, 0F, B7, F0, 6A, 02, E8, E1, 49, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, A0, 37, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
7.9166  (probably packed)

Code size:
103 KB (105,472 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.