home

setup.exe

Deepwell

The application setup.exe by Deepwell has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the Tomorrow Software Installer installer. The file has been seen being downloaded from www.downthat.com.
Publisher:
Full Savvy Install  (signed by Deepwell)

Product:
Full Savvy Install

Version:
75.9.4.6363

MD5:
5f55335883514fc54f8af7546a88bc0c

SHA-1:
efeaf5ec928c3071dfc670de912140c2d4130819

SHA-256:
c0e52af47739343faff6b8d7902197c80ef8fe93b53afd8d871f7a4c78315433

Scanner detections:
18 / 68

Status:
Adware

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
9/20/2024 11:58:35 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AVG
Generic
2017.0.2843

Baidu Antivirus
PUA.Win32.DownloadAdmin
4.0.3.1624

Bkav FE
W32.HfsAdware
1.3.0.7383

Dr.Web
Trojan.Vittalia.735
9.0.1.035

ESET NOD32
Win32/DownloadAdmin.P potentially unwanted (variant)
10.12462

Fortinet FortiGate
Riskware/DownloadAdmin
2/4/2016

F-Prot
W32/S-3bfe598a
v6.4.7.1.166

K7 AntiVirus
Adware
13.212.17641

Malwarebytes
PUP.Optional.DownLoadAdmin
v2016.02.04.12

McAfee
Artemis!0EF26F8F2FF4
5600.6499

NANO AntiVirus
Trojan.Win32.Vittalia.dxxgfw
0.30.26.3947

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.TomorrowSoftware.Deepwell.Bundler (M)
16.2.4.12

Rising Antivirus
PE:Malware.RDM.04!5.A[F1]
23.00.65.16202

Sophos
Download Admin (PUA)
4.98

VIPRE Antivirus
Trojan.Win32.Generic
44806

Zillya! Antivirus
Adware.AdPeak.Win32.252
2.0.0.2472

File size:
866.8 KB (887,600 bytes)

Product version:
75.9.4.6363

Copyright:
Copyright (C) 2015

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Tomorrow Software Installer

Language:
English (United States)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
Deepwell

Authority:
GoDaddy.com, Inc.

Valid from:
9/10/2015 3:38:55 PM

Valid to:
9/10/2016 3:38:55 PM

Subject:
CN=Deepwell, O=Deepwell, L=San Francisco, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
0080C523CA00812FD1

File PE Metadata
Compilation timestamp:
10/14/2014 11:32:28 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:Ip3Bg30Lwf92kZhVPHpCxCR+QGZMP8EL6T6Op:k00L49phLCxS+iP8EmT6e

Entry address:
0x36CF

Entry point:
E8, BC, A1, 00, 00, E9, BE, 9A, 00, 00, CC, CC, CC, CC, CC, CC, CC, FF, 25, 4C, 47, 41, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 83, EC, 78, 56, 57, E8, C6, 0C, 00, 00, E8, F1, DE, FF, FF, 8B, B4, 24, 88, 00, 00, 00, 8B, BC, 24, 84, 00, 00, 00, 56, 57, E8, 5C, 10, 00, 00, 56, 57, E8, B5, E1, FF, FF, 8B, 06, 83, C4, 10, 50, FF, 15, 4C, F0, 40, 00, 83, F8, FF, 74, 2E, 8B, 0E, 68, D4, 46, 41, 00, 68, C8, 44, 41, 00, 68, 04, 01, 00, 00, 51, FF, 15, DC, F0, 40, 00, 85, C0, 74, 07, 3D, 04, 01, 00, 00, 76, 2B...
 
[+]

Code size:
52.5 KB (53,760 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://www.downthat.com/.../300?sub_id=31430933141417708299&pub_id=303&template=lp3

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.