» setupytb.exe
Overview
Analysis
File Details
Network (2)

setupytb.exe

a used

Sergiy Maratov

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application setupytb.exe by Sergiy Maratov has been detected as adware by 39 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.

File name:

setupytb.exe

Publisher:

to much (signed by Sergiy Maratov)

Product:

a used

Version:

4.5.0.0

MD5:

31d6b9171f4e9dd3e790657309913dd4

SHA-1:

221dd071fd325cb773bf1c4a53a2b53d8e4db612

SHA-256:

2a61f0127a0aebfd00e9283884659e1f5911a00d2da0973834a1d25aaa202e93

Scanner detections:

39 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/25/2024 7:21:23 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Sality.3

928

Agnitum Outpost

Win32.Sality.BL

7.1.1

AhnLab V3 Security

Win32/Kashu.E

2014.07.08

Avira AntiVirus

W32/Sality.AT

7.11.30.172

avast!

Win32:Sality

2014.9-140722

AVG

Win32/Sality

2015.0.3406

Baidu Antivirus

Virus.Win32.Sality.$Emu

4.0.3.14722

Bitdefender

Win32.Sality.3

1.0.20.1015

Bkav FE

W32.Sality.PE

1.3.0.4959

Comodo Security

Virus.Win32.Sality.Gen

18804

Dr.Web

Trojan.Crossrider.25338

9.0.1.0203

Emsisoft Anti-Malware

Win32.Sality

8.14.07.22.10

ESET NOD32

Win32/Sality.NBA virus

8.7.0.302.0

F-Prot

W32/Sality.gen2

v6.4.6.5.141

F-Secure

Win32.Sality.3

11.2014-22-07_3

G Data

Win32.Sality

14.7.24

IKARUS anti.virus

PUP.InstallRex

t3scan.1.6.1.0

K7 AntiVirus

Virus

13.180.12643

Kaspersky

Virus.Win32.Sality

14.0.0.3523

Malwarebytes

PUP.Optional.MultiPlug.A

v2014.07.22.10

McAfee

W32/Sality.gen.z

5600.7062

Microsoft Security Essentials

Threat.Undefined

1.177.1852.0

MicroWorld eScan

Win32.Sality.3

15.0.0.609

NANO AntiVirus

Virus.Win32.Sality.beygb

0.28.0.60698

Norman

Sality.ZHB

11.20140722

nProtect

Virus/W32.Sality.D

14.07.07.01

Panda Antivirus

W32/Sality.AA

14.07.22.10

Qihoo 360 Security

Malware.QVM19.Gen

1.0.0.1015

Quick Heal

W32.Sality.U

7.14.14.00

Reason Heuristics

PUP.Installer.SergiyMaratov.I

14.7.27.13

Rising Antivirus

PE:Win32.KUKU.kt!1591113

23.00.65.14720

Sophos

Mal/Sality-D

4.98

Total Defense

Win32/Sality.AA

37.0.11046

Trend Micro House Call

PE_SALITY.RL

7.2.203

Trend Micro

PE_SALITY.RL

10.465.22

Vba32 AntiVirus

Virus.Win32.Sality.bakc

3.12.26.3

VIPRE Antivirus

Threat.4721115

29708

ViRobot

Win32.Sality.N

2011.4.7.4223

Zillya! Antivirus

Virus.Sality.Win32.20

2.0.0.1850

File size:

1.9 MB (1,943,912 bytes)

Product version:

4.5.0.0

Original file name:

responsible an

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Language:

English (United Kingdom)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\addons\setupytb.exe

Digital Signature

Signed by:

Sergiy Maratov

Authority:

Unizeto Technologies S.A.

Valid from:

6/24/2014 11:43:54 AM

Valid to:

6/24/2015 11:43:54 AM

Subject:

E=SergiyIvanovich@hotmail.com, CN=Sergiy Maratov, O=Sergiy Maratov, C=RU

Issuer:

CN=Certum Code Signing CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:

774A5B60838D600A3706CAB0BC5A6286

File PE Metadata

Compilation timestamp:

7/20/2014 7:09:08 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:PLQ1I/5saYMo45muRCm4nYzuSnXt1i0hquteIPz0LS9VmBNP13qKnhea2Hoe8rYl:TQy/ktwgmSIJqIz0XNP13Tncpz8oy3uV

Entry address:

0x1929B

Entry point:

E8, 87, 7C, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 80, EE, 42, 00, E8, 6F, 0D, 00, 00, E8, A2, 03, 00, 00, 0F, B7, F0, 6A, 02, E8, 1A, 7C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 53, 45, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.9116 (probably packed)

Code size:

142.5 KB (145,920 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

TCP (HTTP):

Connects to c1.stylezip.info (54.186.255.26:80)

http://c1.stylezip.info/?step_id=1&installer_id=8053558&publisher_id=053&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=24160674&external_id=0&session_id=48321348&hardware_id=56374906&installer_file_name=setupytb

Remove setupytb.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.