» setupcl.exe
Overview
Analysis
File Details
Network (21)

setupcl.exe

Somoto Limited

This is the Somoto BetterInstaller, an installer that bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application setupcl.exe by Somoto Limited has been detected as adware by 17 anti-malware scanners. The program is a setup application that uses the Somoto BetterInstaller installer. Includes the Somoto BetterInstaller, an adware installer that will bundle offers for third party applications, mostly adware toolbars, with legitimate softare. These offers are typically installed onto users' PCs by default, but may include an option to 'opt-out' during or after the installation process.

File name:

setupcl.exe

Publisher:

Somoto Limited (signed and verified)

MD5:

510d57697b88421f4fe91a3b2e6a3995

SHA-1:

e5d3e6b056db9761ef5ad8d91d6d50b2d1769e50

SHA-256:

9fac6a1b72726c32a5afab461347b013e21fbdfcd948faf62cedab6d8bc08400

Scanner detections:

17 / 68

Status:

Adware

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/23/2024 1:46:57 PM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

Win32/Kashu.E

2014.11.15

Avira AntiVirus

APPL/Somoto.hzit

7.11.163.176

avast!

Win32:Kukacka

2014.9-141129

AVG

Somoto

2015.0.3402

Dr.Web

Trojan.Packed.28357

9.0.1.0333

G Data

Win32.Application.Somoto

14.7.24

IKARUS anti.virus

PUA.Somoto

t3scan.1.6.1.0

K7 AntiVirus

Virus

13.185.14021

Malwarebytes

PUP.Optional.Somoto

v2014.11.29.08

Microsoft Security Essentials

Threat.Undefined

1.187.2193.0

Norman

Sality.ZHB

11.20141129

Qihoo 360 Security

Malware.QVM19.Gen

1.0.0.1015

Reason Heuristics

PUP.Installer.SomotoLimited.H

14.7.26.4

Rising Antivirus

PE:Win32.KUKU.kt!1591113

23.00.65.141127

Trend Micro House Call

PE_SALITY.RL

7.2.333

Trend Micro

PE_SALITY.RL

10.465.29

VIPRE Antivirus

Trojan.Win32.Generic

31540

File size:

201.8 KB (206,624 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

Somoto BetterInstaller

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\setupcl.exe

Digital Signature

Signed by:

Somoto Limited

Authority:

DigiCert Inc

Valid from:

11/11/2013 1:00:00 AM

Valid to:

11/16/2015 1:00:00 PM

Subject:

CN=Somoto Limited, O=Somoto Limited, L=Tel Aviv, S=Tel Aviv, C=IL

Issuer:

CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

05805984E5838EE41CFD82C4057379F9

File PE Metadata

Compilation timestamp:

7/2/2014 4:50:53 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

3072:CsYk6MmV1hoigD6seDNRAdwI16Z5RQfVJwJkERKh/Qp/M+eBIFrNgYRKVsSb:Vxmnh86Ln8wDrafXwfKh/NCR5R2

Entry address:

0x17226

Entry point:

E8, 84, 58, 00, 00, E9, 89, FE, FF, FF, 66, 0F, EF, C0, 51, 53, 8B, C1, 83, E0, 0F, 85, C0, 75, 7F, 8B, C2, 83, E2, 7F, C1, E8, 07, 74, 37, 8D, A4, 24, 00, 00, 00, 00, 66, 0F, 7F, 01, 66, 0F, 7F, 41, 10, 66, 0F, 7F, 41, 20, 66, 0F, 7F, 41, 30, 66, 0F, 7F, 41, 40, 66, 0F, 7F, 41, 50, 66, 0F, 7F, 41, 60, 66, 0F, 7F, 41, 70, 8D, 89, 80, 00, 00, 00, 48, 75, D0, 85, D2, 74, 37, 8B, C2, C1, E8, 04, 74, 0F, EB, 03, 8D, 49, 00, 66, 0F, 7F, 01, 8D, 49, 10, 48, 75, F6, 83, E2, 0F, 74, 1C, 8B, C2, 33, DB, C1, EA, 02... 
[+]

Code size:

126.5 KB (129,536 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-54-192-59-63.gru1.r.cloudfront.net (54.192.59.63:80)

TCP (HTTP):

Connects to server-54-192-59-242.gru1.r.cloudfront.net (54.192.59.242:80)

TCP (HTTP):

Connects to s3-1-w.amazonaws.com (52.216.226.80:80)

TCP (HTTP):

Connects to server-54-192-59-139.gru1.r.cloudfront.net (54.192.59.139:80)

TCP (HTTP):

Connects to server-54-192-59-98.gru1.r.cloudfront.net (54.192.59.98:80)

TCP (HTTP):

Connects to server-54-192-59-146.gru1.r.cloudfront.net (54.192.59.146:80)

TCP (HTTP):

Connects to server-52-84-174-34.gru50.r.cloudfront.net (52.84.174.34:80)

TCP (HTTP):

Connects to server-52-84-174-154.gru50.r.cloudfront.net (52.84.174.154:80)

TCP (HTTP):

Connects to server-52-84-174-104.gru50.r.cloudfront.net (52.84.174.104:80)

TCP (HTTP):

Connects to server-54-230-79-25.cdg50.r.cloudfront.net (54.230.79.25:80)

TCP (HTTP):

Connects to server-54-230-130-73.ams50.r.cloudfront.net (54.230.130.73:80)

TCP (HTTP):

Connects to server-54-192-159-137.sin3.r.cloudfront.net (54.192.159.137:80)

TCP (HTTP SSL):

Connects to server-52-85-167-61.gig50.r.cloudfront.net (52.85.167.61:443)

TCP (HTTP):

Connects to server-52-85-167-40.gig50.r.cloudfront.net (52.85.167.40:80)

TCP (HTTP):

Connects to server-52-85-167-252.gig50.r.cloudfront.net (52.85.167.252:80)

TCP (HTTP):

Connects to server-52-85-167-171.gig50.r.cloudfront.net (52.85.167.171:80)

TCP (HTTP):

Connects to server-52-85-167-160.gig50.r.cloudfront.net (52.85.167.160:80)

TCP (HTTP):

Connects to server-52-85-167-112.gig50.r.cloudfront.net (52.85.167.112:80)

TCP (HTTP):

Connects to server-52-84-174-46.gru50.r.cloudfront.net (52.84.174.46:80)

TCP (HTTP):

Connects to server-52-84-174-107.gru50.r.cloudfront.net (52.84.174.107:80)

Remove setupcl.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.