» setupytb.exe
Overview
Analysis
File Details
Network (2)

setupytb.exe

channel modern or and

Andrey Globin

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application setupytb.exe by Andrey Globin has been detected as adware by 35 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.

File name:

setupytb.exe

Publisher:

is of (signed by Andrey Globin)

Product:

channel modern or and

Version:

0.2.0.0

MD5:

5f901d8c25afe9580e280f39244b0b44

SHA-1:

420ee2815e4f582a900195f1994c9656ca03d99a

SHA-256:

5e9529193f8b3689b491732e7c5e83e1de9fd70bde4301a0b2136694f72653dc

Scanner detections:

35 / 68

Status:

Adware

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/26/2024 6:45:16 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Dropper.103

356

Agnitum Outpost

PUA.MultiPlug

7.1.1

AhnLab V3 Security

PUP/Win32.Adware

2015.08.28

Avira AntiVirus

TR/Graftor.141601.A

8.3.2.2

avast!

Win32:MultiPlug-AZ [PUP]

2014.9-160213

AVG

Adware Generic_r

2017.0.2834

Bitdefender

Gen:Variant.Adware.Dropper.103

1.0.20.220

Bkav FE

W32.HfsAdware

1.3.0.7133

Clam AntiVirus

Win.Adware.Agent-6737

0.98/20843

Comodo Security

Application.Win32.Multiplug.GETF

23099

Dr.Web

Trojan.Crossrider.17103

9.0.1.044

Emsisoft Anti-Malware

Gen:Variant.Adware.Dropper.103

8.16.02.13.04

ESET NOD32

Win32/AdWare.MultiPlug.R application

10.7.0.302.0

Fortinet FortiGate

W32/Generic.AC.1814531

2/13/2016

F-Prot

W32/A-42ffd3c6

v6.4.7.1.166

F-Secure

Gen:Variant.Adware.Dropper

11.2016-13-02_7

G Data

Gen:Variant.Adware.Dropper.103

16.2.25

IKARUS anti.virus

Trojan.Graftor

t3scan.1.9.5.0

K7 AntiVirus

Adware

13.2017031

Kaspersky

not-a-virus:HEUR:AdWare.Win32.Agent

14.0.0.667

Malwarebytes

PUP.Optional.MultiPlug

v2016.02.13.04

McAfee

Program.PUP-FIC

5600.6490

Microsoft Security Essentials

Threat.Undefined

1.205.646.0

MicroWorld eScan

Gen:Variant.Adware.Dropper.103

17.0.0.132

NANO AntiVirus

Riskware.Win32.Agent.cxvuow

0.30.24.3283

Norman

Gen:Variant.Adware.Dropper.103

11.20160213

Panda Antivirus

Trj/Genetic.gen

16.02.13.04

Qihoo 360 Security

Malware.QVM10.Gen

1.0.0.1015

Quick Heal

AdWare.MultiPlag.ace

2.16.14.00

Reason Heuristics

PUP.WebPick.AndreyGlobin.Bundler (M)

16.2.13.16

Rising Antivirus

PE:Malware.MultiPlug!6.13CF[F1]

23.00.65.16211

Sophos

PUA 'MultiPlug' (of type Adware)

5.17

Vba32 AntiVirus

AdWare.Win64.MultiPlag

3.12.26.4

VIPRE Antivirus

Threat.4150696

42326

Zillya! Antivirus

Backdoor.PePatch.Win32.38083

2.0.0.2374

File size:

1.8 MB (1,836,600 bytes)

Product version:

0.2.0.0

Original file name:

if reports databases

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\addons\setupytb.exe

Digital Signature

Signed by:

Andrey Globin

Authority:

COMODO CA Limited

Valid from:

9/18/2013 3:00:00 AM

Valid to:

9/19/2014 2:59:59 AM

Subject:

CN=Andrey Globin, O=Andrey Globin, STREET=Gagarina 4, L=Kiev, S=Kiev, PostalCode=02094, C=UA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

6534084D6A4B724011508EF1B5AD13D6

File PE Metadata

Compilation timestamp:

5/12/2014 10:12:34 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:KrZGaq53hwd3Iu4NSF/3K5RAxonWBm9slAf4bUCosl8yybS:pvMD4e+DYm9slAAYc2dW

Entry address:

0x108BB

Entry point:

E8, CE, 49, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 30, 21, 42, 00, E8, AF, 20, 00, 00, E8, E0, 07, 00, 00, 0F, B7, F0, 6A, 02, E8, 61, 49, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 20, 37, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Code size:

103 KB (105,472 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

TCP (HTTP):

Connects to c1.stylezip.info (54.186.255.26:80)

http://c1.stylezip.info/?step_id=1&installer_id=67920876&publisher_id=792&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=203762628&external_id=0&session_id=407525256&hardware_id=475446132&installer_file_name=setupytb

Remove setupytb.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.