home

setup.exe

InstallVibes

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application setup.exe by InstallVibes has been detected as adware by 13 anti-malware scanners. It uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from lp.downloadsrv13.com and multiple other hosts.
Publisher:
InstallVibes  (signed and verified)

MD5:
99213d06ad3ba33532cae50b0b16a97b

SHA-1:
a427dba717af04c5960b39251ac1eb99b7ba9c7f

SHA-256:
e8a459676e673c3c0f68a5b3d805894737b5503f71e279a1595c85fa31e3b7ff

Scanner detections:
13 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
4/25/2024 4:03:45 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
TR/Dropper.Gen
7.11.30.172

AVG
Bundlo
2015.0.3431

Comodo Security
Application.Win32.Bundlore.C
18681

ESET NOD32
Win32/Bundlore.G potentially unwanted application
7.0.302.0

IKARUS anti.virus
PUA.Bundlore
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.180.12538

Malwarebytes
PUP.Optional.InstallCore
v2014.06.26.11

McAfee
PUP-FDC
5600.7087

Panda Antivirus
Trj/Genetic.gen
14.06.26.11

Reason Heuristics
PUP.Installer.InstallVibes.K
14.6.26.22

Sophos
Bundlore
4.98

VIPRE Antivirus
Threat.4150696
29708

File size:
316.8 KB (324,352 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
InstallVibes

Authority:
COMODO CA Limited

Valid from:
3/19/2014 8:00:00 PM

Valid to:
3/19/2016 7:59:59 PM

Subject:
CN=InstallVibes, O=InstallVibes, STREET=Ehad Haam 21 St., L=Tel Aviv, S=Israel, PostalCode=6515103, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F29201EBC1EAD2B751F2854AD68C6244

File PE Metadata
Compilation timestamp:
6/5/2014 11:01:24 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
6144:TDyYMkccI7Lbii5bkgVuN+xSKV7Wkrsf7Ls6hSxYDZnCY2UAzzH:TDyYMkr4XikbkgaISKVa1DB2UAP

Entry address:
0x3036

Entry point:
E8, 70, 53, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, F8, 6B, 41, 00, E8, F4, 32, 00, 00, E8, 41, 55, 00, 00, 0F, B7, F0, 6A, 02, E8, 03, 53, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, C2, 4A, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.8461

Code size:
63 KB (64,512 bytes)

The file setup.exe has been seen being distributed by the following 2 URLs.

http://lp.downloadsrv13.com/download/.../?nocache=96494900191&software=VideoDownloader&name=setup.exe&NL=1

http://lp.downloadsrv13.com/.../setup.exe

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.