setup.exe

Savings Apps

This is the installer application for a 50onRed advertising supported software package (displays ads in the browser and may hijack the home and search pages of the web browser). The application setup.exe by Savings Apps has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from download.theappsrvr.com.
Publisher:
Savings Apps  (signed and verified)

MD5:
b22c350b563f129721dc43b797855a86

SHA-1:
a1889a4d7ed08c5a27769e9657a0f153d7151922

SHA-256:
00ab0e54bef86576e274eac411a29e75bbb88aaa121da835d78d5f644ae316b9

Scanner detections:
5 / 68

Status:
Adware

Analysis date:
5/10/2024 6:48:20 PM UTC  (today)

Scan engine
Detection
Engine version

Qihoo 360 Security
Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.SavingsApps.F
14.8.7.17

SUPERAntiSpyware
Trojan.Agent/Gen-FakeAV
10517

Trend Micro House Call
HV_ZYX_.97F06626
7.2.178

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.3

File size:
176 KB (180,264 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
10/17/2012 6:00:00 PM

Valid to:
10/18/2013 5:59:59 PM

Subject:
CN=Savings Apps, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Savings Apps, L=New Castle, S=Delaware, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
309F1A00318C3937D71BEA69C92A0738

File PE Metadata
Compilation timestamp:
12/5/2009 3:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:QgXdZt9P6D3XJl8rB2MBx2zuCd+KPVVXBiF3p+67j8M42JaJ3lpNuQN9ptIomF1k:Qe34D8rB2MB4uCI3PZ42gJ3LwQN9/KDk

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.5443

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file setup.exe has been seen being distributed by the following URL.

Remove setup.exe - Powered by Reason Core Security