» setup_product_1145.exe
Overview
Analysis
File Details
Network (2)

setup_product_1145.exe

SETUPPROCESS

This is the Solimba installer program that will bundle additional offers mostly including adware and various unwanted PC utilities. The application setup_product_1145.exe by SETUPPROCESS has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the Solimba DownloadMR installer. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent. It is also typically executed from an Internet Explorer cache folder. While running, it connects to the Internet address cdn.solimba.com on port 80 using the HTTP protocol.

File name:

Publisher:

setup process (signed by SETUPPROCESS)

Description:

Setup Manager

Version:

3.0.30.1

MD5:

0f884217adc1606ad7514fd04d933a1d

SHA-1:

dcd21f1dc99d85b503714f05257729bac2b34687

SHA-256:

f45639cc06a34a21c53da6fdfdbffda39c28b4b81dc1980979006d1d6f2fb40c

Scanner detections:

18 / 68

Status:

Adware

Explanation:

May bundle additional potentially unwanted software such as adware during setup.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/30/2024 4:38:24 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.Firseria

7.1.1

Avira AntiVirus

APPL/Firseria.D

7.11.130.56

avast!

Win32:Adware-gen [Adw]

2014.9-140311

Comodo Security

Application.Win32.FirseriaInstaller.BCB

17756

Dr.Web

Trojan.DownLoader11.3686

9.0.1.070

ESET NOD32

Win32/FirseriaInstaller (variant)

8.9399

Fortinet FortiGate

Adware/Firseria

3/11/2014

G Data

Win32.Application.Morstar

14.3.24

IKARUS anti.virus

Win32.AdWare

t3scan.2.2.29

Malwarebytes

PUP.Optional.BundleInstaller.A

v2014.03.11.07

McAfee

Artemis!0F884217ADC1

5600.7194

NANO AntiVirus

Trojan.Win32.DownLoader11.ctdbpw

0.28.0.57630

Qihoo 360 Security

HEUR/Malware.QVM11.Gen

1.0.0.1015

Reason Heuristics

PUP.Installer.SETUPPROCESS.S

14.3.11.19

Sophos

Solimba Installer

4.97

Trend Micro House Call

TROJ_GEN.F47V0203

7.2.70

Vba32 AntiVirus

Downware.Morstar

3.12.24.3

VIPRE Antivirus

DownloadMR

26290

File size:

258.4 KB (264,560 bytes)

Product version:

3.0.28

Original file name:

setup_install.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

Solimba DownloadMR

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\setup_product_1145.exe

Digital Signature

Signed by:

SETUPPROCESS

Authority:

DigiCert Inc

Valid from:

11/27/2013 3:00:00 AM

Valid to:

12/1/2014 3:00:00 PM

Subject:

CN=SETUPPROCESS, O=SETUPPROCESS, L=Badalona, S=Barcelona, C=ES

Issuer:

CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

0A8ABFC7C80D0C2F0A3A89CF6139A91D

File PE Metadata

Compilation timestamp:

1/30/2014 1:15:34 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:0IJP4jadW8oBS2H8jJeOmH5AXtywLBVfYAsgdIzAudJA:tP4j+jos2HCJeOmZSflNYARwdJA

Entry address:

0x73950

Entry point:

60, BE, 00, E0, 43, 00, 8D, BE, 00, 30, FC, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B... 
[+]

Entropy:

7.6943

Packer / compiler:

UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:

216 KB (221,184 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to cdn.solimba.com (95.211.6.35:80)

TCP (HTTP):

Connects to api.downloadmr.com (95.211.39.161:80)

http://api.downloadmr.com/installer/8879649/launch

Remove setup_product_1145.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.