home

setup.exe

Bechiro S.L.

This is the Solimba installer program that will bundle additional offers mostly including adware and various unwanted PC utilities. The application setup.exe, “Application Installer 2x” by Bechiro S.L has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the Solimba DownloadMR installer. The installer uses the Solimba download manager to push adware offers during the download and setup process. Bundled adware includes search and shopping web browser toolbars.
Publisher:
apps installer   (signed by Bechiro S.L.)

Description:
Application Installer 2x

Version:
3.1.8

MD5:
ecd84927eb53aa1588c318bf681bd617

SHA-1:
aa07f8fc27a05985ddcd4c3c1aadd3f4f5986cf3

SHA-256:
7aca52842233653b6b387890c75ef730f2d7370502ec6b79057740245a6370e2

Scanner detections:
7 / 68

Status:
Adware

Explanation:
Uses the Solimba installer to bundle adware offers.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/26/2024 5:21:43 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
BundleApp
2015.0.3526

ESET NOD32
Win32/FirseriaInstaller (variant)
8.9579

G Data
Win32.Application.Morstar
14.3.24

Malwarebytes
PUP.Optional.Bechiro
v2014.03.23.07

Reason Heuristics
Adware.Solimba.Installer.F
14.8.8.2

Vba32 AntiVirus
Downware.Morstar
3.12.24.3

VIPRE Antivirus
DownloadMR
27676

File size:
491 KB (502,768 bytes)

Product version:
3.1.3

Copyright:
Copyright © 2014

Original file name:
installer2x.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Solimba DownloadMR

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
Bechiro S.L.

Authority:
Thawte, Inc.

Valid from:
6/12/2012 8:00:00 PM

Valid to:
6/13/2014 7:59:59 PM

Subject:
CN=Bechiro S.L., OU=Devel, O=Bechiro S.L., L=Barcelona, S=Barcelona, C=ES

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
738DCAC697C06E1B89D106073773010D

File PE Metadata
Compilation timestamp:
3/19/2014 10:11:46 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:P+TRL7A0wg5rYzCm4juSIBS2RVFW4P6gr646b19mmV0:P+17A0wRs92V1By6mV0

Entry address:
0xE4F9

Entry point:
E8, CD, 79, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 78, E4, 41, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 24, E1, 41, 00, C9, C2, 08, 00, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 60, 54, 42, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 64...
 
[+]

Entropy:
7.6564

Code size:
115 KB (117,760 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://www.lpcloudsvr408.com/.../Setup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to cdn.solimba.com  (95.211.6.35:80)

TCP (HTTP):
Connects to api.downloadmr.com  (95.211.39.161:80)

 
http://api.downloadmr.com/installer/9798861/launch

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.