» setup.exe
Overview
Analysis
File Details
Behaviors (1)

setup.exe

Pixia ver. 6

Isao Maruoka

The executable setup.exe, “Setup Launcher Unicode” has been detected as malware by 10 anti-virus scanners. This is the uninstaller utility registered in the Windows Control Panel for the program Pixia ver. 6 by Isao Maruoka. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

setup.exe

Publisher:

Isao Maruoka (signed and verified)

Product:

Pixia ver. 6

Description:

Setup Launcher Unicode

Version:

6.00.0080

MD5:

e5730c2ce76df115b80fdd7d00be38e7

SHA-1:

b8779de2626ea29554f68123bd3b27b3ba11f508

SHA-256:

1c10cc684be38c813fac16e80297fe14894b5c5c098f42209516127d9914e5a2

Scanner detections:

10 / 68

Status:

Malware

Explanation:

setup.exe is infected by a worm that might download, install and run additional malware as well as may spread to other executable files.

Analysis date:

4/26/2024 5:44:17 AM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

Win32/Ramnit.J

15.10.26

AVG

Win32/Zbot.G

2016.0.2945

Baidu Antivirus

Virus.Win32.Nimnul.$a

4.0.3.151026

ESET NOD32

Win32/Ramnit

9.9639

Fortinet FortiGate

W32/Ramnit.C

10/26/2015

IKARUS anti.virus

Virus.Win32.Nimnul

t3scan.2.2.29

Panda Antivirus

W32/Nimnul.A

15.10.26.08

Qihoo 360 Security

Virus.Win32.Ramnit.A

1.0.0.1015

Rising Antivirus

PE:Win32.Mgr.b!1594784

23.00.65.151024

Vba32 AntiVirus

Virus.Win32.Nimnul.b

3.12.26.0

File size:

1.1 MB (1,199,608 bytes)

Product version:

6.00.0080

Original file name:

InstallShield Setup.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\installshield installation information\{aea90e15-9071-48f4-8f45-3f22d656b124}\setup.exe

Digital Signature

Signed by:

Isao Maruoka

Authority:

GlobalSign nv-sa

Valid from:

11/20/2012 5:28:38 PM

Valid to:

3/2/2014 12:34:59 PM

Subject:

CN=Isao Maruoka, C=JP

Issuer:

CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:

1121111B5F1A6CC60D938C6C0502CB291FAD

File PE Metadata

Compilation timestamp:

5/30/2013 2:06:01 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

24576:/NQ1pZtDtfu67T8a+SHD+45m5ZbHNYG4k2EV2ynovuTGgQWgq:/NQ1pZDuOTLHNs/pV2yn7TGgZX

Entry address:

0x6B0CB

Entry point:

E8, 6E, 27, 01, 00, E9, 79, FE, FF, FF, 85, C0, 74, 0D, 33, C9, 85, C0, 0F, 9F, C1, 8D, 4C, 09, FF, 8B, C1, C3, 0F, B6, 00, 0F, B6, 09, 2B, C1, 74, 0D, 33, C9, 85, C0, 0F, 9F, C1, 8D, 4C, 09, FF, 8B, C1, C3, 66, 8B, 06, 66, 3B, 01, 74, 35, 0F, B6, 11, 0F, B6, C0, 2B, C2, 74, 11, 33, D2, 85, C0, 0F, 9F, C2, 8D, 54, 12, FF, 8B, C2, 85, C0, 75, 1C, 0F, B6, 46, 01, 0F, B6, 49, 01, 2B, C1, 74, 10, 33, C9, 85, C0, 0F, 9F, C1, 8D, 4C, 09, FF, 8B, C1, C3, 33, C0, C3, 8B, 06, 3B, 01, 74, 6F, 0F, B6, 11, 0F, B6, C0... 
[+]

Entropy:

6.6554

Code size:

699 KB (715,776 bytes)

Program Uninstaller

Program name:

Pixia ver. 6

Display publisher:

Isao Maruoka

Display version:

6.00.0080

Uninstall string:

"C:\Program Files (x86)\InstallShield Installation Information\{AEA90E15-9071-48F4-8F45-3F22D656B124}\setup.exe" -runfromtemp -l0x0411 -removeonly

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.