» setupespl.exe
Overview
Analysis
File Details
Network (2)

setupespl.exe

often databases server

Sergiy Maratov

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application setupespl.exe by Sergiy Maratov has been detected as adware by 34 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.

File name:

setupespl.exe

Publisher:

individual as bugs print (signed by Sergiy Maratov)

Product:

often databases server

Version:

2.8.0.0

MD5:

6ac575d57664ef6aff8d4e80c04e1b7b

SHA-1:

0a282a6fc2344cbae056f212b2526b7a272a3831

SHA-256:

b23a8ce44bb4decf15ba37e849658d0e00d195cb93139c11f964b4998d346573

Scanner detections:

34 / 68

Status:

Adware

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/19/2024 5:25:04 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Dropper.103

857

AegisLab AV Signature

Troj.W32.Diple

2.1.4+

Agnitum Outpost

PUA.MultiPlug

7.1.1

AhnLab V3 Security

Win32/Kashu.E

2014.07.08

Avira AntiVirus

ADWARE/Adware.Gen

7.11.174.78

avast!

Win32:MultiPlug-BF [PUP]

140929-0

AVG

Adware Generic5.BAVM

2014.0.4025

Bitdefender

Gen:Variant.Adware.Dropper.103

1.0.20.1365

Clam AntiVirus

Win.Adware.Agent-7825

0.98/19460

Comodo Security

Application.Win32.MegaSearch.ATK

19614

Dr.Web

Trojan.WebPick.2744

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Adware.Dropper.103

14.09.30

ESET NOD32

Win32/AdWare.MultiPlug.AP application

7.0.302.0

F-Prot

W32/S-b6f5f973

v6.4.7.1.166

F-Secure

Gen:Variant.Adware.Dropper.103

11.2014-30-09_3

G Data

Gen:Variant.Adware.Dropper.103

14.9.24

IKARUS anti.virus

PUP.InstallRex

t3scan.1.6.1.0

K7 AntiVirus

Virus

13.180.12643

Kaspersky

not-a-virus:HEUR:WebToolbar.Win32.Cossder

14.0.0.3170

Malwarebytes

PUP.Optional.MultiPlug.A

v2014.09.30.11

McAfee

PUP-FLT

5600.6991

Microsoft Security Essentials

Threat.Undefined

1.177.1852.0

MicroWorld eScan

Gen:Variant.Adware.Dropper.103

15.0.0.819

NANO AntiVirus

Trojan.Win32.WebPick.dckquz

0.28.2.62286

Norman

Sality.ZHB

11.20140930

Panda Antivirus

Trj/Genetic.gen

14.09.30.11

Qihoo 360 Security

Malware.QVM19.Gen

1.0.0.1015

Reason Heuristics

PUP.Installer.SergiyMaratov.J

14.9.30.23

Rising Antivirus

PE:Win32.KUKU.kt!1591113

23.00.65.14928

Trend Micro House Call

PE_SALITY.RL

7.2.273

Trend Micro

PE_SALITY.RL

10.465.30

Vba32 AntiVirus

Trojan.Swisyn

3.12.26.3

VIPRE Antivirus

Threat.4721115

29708

Zillya! Antivirus

Backdoor.Klon.Win32.1059

2.0.0.1930

File size:

1.9 MB (2,013,992 bytes)

Product version:

2.8.0.0

Original file name:

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\temp\setupespl.exe

Digital Signature

Signed by:

Sergiy Maratov

Authority:

Unizeto Technologies S.A.

Valid from:

6/24/2014 3:43:54 AM

Valid to:

6/24/2015 3:43:54 AM

Subject:

E=SergiyIvanovich@hotmail.com, CN=Sergiy Maratov, O=Sergiy Maratov, C=RU

Issuer:

CN=Certum Code Signing CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:

774A5B60838D600A3706CAB0BC5A6286

File PE Metadata

Compilation timestamp:

7/17/2014 10:04:13 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:fWk1RcPgVyJ0rdJCM519Pvv9vHzSzfvnSnqEkIM+:940rdF11vVSzfvSTE+

Entry address:

0x18C2B

Entry point:

E8, 87, 7C, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 18, EE, 42, 00, E8, 6F, 0D, 00, 00, E8, A2, 03, 00, 00, 0F, B7, F0, 6A, 02, E8, 1A, 7C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 53, 45, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.9227 (probably packed)

Code size:

141 KB (144,384 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

TCP (HTTP):

Connects to c1.stylezip.info (54.186.255.26:80)

http://c1.stylezip.info/?step_id=1&installer_id=11191968&publisher_id=119&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=33575904&external_id=0&session_id=67151808&hardware_id=78343776&installer_file_name=setupespl

Remove setupespl.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.