» setup.exe
Overview
Analysis
File Details
Downloads (1)

setup.exe

BOn dOn jOv

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application setup.exe by BOn dOn jOv has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from cpadominator.com.

File name:

setup.exe

Publisher:

BOn dOn jOv (signed and verified)

MD5:

e05c87c2a87decaa2722e4490944bd89

SHA-1:

d46bc0b35bc09de8745cd6fb87536ebb0e41a6e3

SHA-256:

354cf7b1638eb5c32e4bfd3639d3f233a7fa4ad97b0bff0e8547d9b062f78504

Scanner detections:

26 / 68

Status:

Adware

Explanation:

Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

4/16/2024 12:12:54 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Application.Bundler.Outbrowse.1

669

Agnitum Outpost

PUA.OutBrowse

7.1.1

AhnLab V3 Security

PUP/Win32.Eorezo

2015.04.07

Avira AntiVirus

PUA/Outbrowse.Gen

3.6.1.96

avast!

OutBrowse-DH [PUP]

150319-1

AVG

Potentially harmful program Downloader.DIN

2014.0.4311

Bitdefender

Gen:Variant.Application.Bundler.Outbrowse.1

1.0.20.480

Comodo Security

Application.Win32.AltBrowse.HY

21671

Dr.Web

infected with Trojan.OutBrowse.88

9.0.1.096

Emsisoft Anti-Malware

Gen:Variant.Application.Bundler.Outbrowse

8.15.04.06.08

ESET NOD32

Win32/OutBrowse.BU potentially unwanted application

9.7.0.302.0

Fortinet FortiGate

Riskware/OutBrowse

4/6/2015

F-Secure

Gen:Variant.Application.Bundler

11.2015-06-04_2

G Data

Gen:Variant.Application.Bundler.Outbrowse

15.4.25

herdProtect (fuzzy)

variant of get_0108app_info (Adware)

2015.7.10.5

K7 AntiVirus

DoS-Trojan

13.194.14930

Kaspersky

not-a-virus:Downloader.NSIS.OutBrowse

14.0.0.1759

Malwarebytes

PUP.Optional.OutBrowse.gen

v2015.04.06.08

McAfee

Program.Adware-OutBrowse.e

5600.6803

MicroWorld eScan

Gen:Variant.Application.Bundler.Outbrowse.1

16.0.0.288

NANO AntiVirus

Trojan.Win32.OutBrowse.dnkyzt

0.30.10.952

Quick Heal

Adware.NSIS.OutBrowse.A

4.15.14.00

Reason Heuristics

PUP.Bundler.Outbrowse

15.4.6.16

Trend Micro House Call

Suspici.B3BC0FA9

7.2.96

Vba32 AntiVirus

Downloader.OutBrowse

3.12.26.3

VIPRE Antivirus

Threat.4823950

37240

File size:

578 KB (591,888 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

OutBrowse Revenyou (using Nullsoft Install System)

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\setup.exe

Digital Signature

Signed by:

BOn dOn jOv

Authority:

thawte, Inc.

Valid from:

1/31/2015 6:00:00 PM

Valid to:

12/17/2015 5:59:59 PM

Subject:

CN=BOn dOn jOv, O=BOn dOn jOv, L=Dublin, S=Dublin, C=IE

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

1F90E29060B700D6A2014E8405848982

File PE Metadata

Compilation timestamp:

12/5/2009 4:50:52 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:w3tNSCXmligdHIyiMGCMYmr/O7B65tJYLeIp81swAoCeuhdGuDjY/Xrm:w6rQghIwGCbmbK8f82buhLX

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9758

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://cpadominator.com/.../index.php?g=mplayeradc&src=ADC&kw=172784&lp=4

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.