» setupytb.exe
Overview
Analysis
File Details
Network (2)

setupytb.exe

world information which

Sergiy Maratov

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application setupytb.exe by Sergiy Maratov has been detected as adware by 31 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.

File name:

setupytb.exe

Publisher:

necessitate like (signed by Sergiy Maratov)

Product:

world information which

Version:

2.5.0.0

MD5:

046cf49ca201695d470c1b0ae98f1a07

SHA-1:

b7976018e60e024e5a8224fe2f021c0c0c5caa3d

SHA-256:

0cbdc6970c1650184ebb0a3e737ba5767119a8aa5ec94645da1c36ac01b889fa

Scanner detections:

31 / 68

Status:

Adware

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/26/2024 7:22:48 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Dropper.103

5535153

Agnitum Outpost

PUA.MultiPlug

7.1.1

Avira AntiVirus

ADWARE/Adware.Gen

8.3.1.6

avast!

Win32:MultiPlug-BF [PUP]

150521-0

AVG

Adware Generic5.BDZW

2014.0.4311

Bitdefender

Gen:Variant.Adware.Dropper.103

1.0.20.710

Bkav FE

W32.HfsAdware

1.3.0.6379

Clam AntiVirus

Win.Adware.Agent-8079

0.98/20498

Comodo Security

Application.Win32.MegaSearch.ATK

22210

Dr.Web

Trojan.WebPick.2795

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Adware.Dropper.103

10.0.0.5366

ESET NOD32

Win32/AdWare.MultiPlug.AP application

7.0.302.0

Fortinet FortiGate

W32/Generic.AC.445

5/22/2015

F-Prot

W32/A-7705bbff

v6.4.7.1.166

F-Secure

Gen:Variant.Adware.Dropper

5.14.151

G Data

Gen:Variant.Adware.Dropper.103

15.5.25

IKARUS anti.virus

AdWare.Graftor

t3scan.1.8.9.0

K7 AntiVirus

Adware

13.204.16000

Kaspersky

not-a-virus:HEUR:WebToolbar.Win32.Cossder

14.0.0.2002

Malwarebytes

PUP.Optional.Multiplug

v2015.05.22.02

McAfee

Program.PUP-FLT

17.6.569.0

MicroWorld eScan

Gen:Variant.Adware.Dropper.103

16.0.0.426

NANO AntiVirus

Trojan.Win32.WebPick.ddkmpr

0.30.24.1636

Norman

Gen:Variant.Adware.Dropper.103

03.12.2014 13:20:04

Panda Antivirus

Trj/Genetic.gen

15.05.22.02

Quick Heal

AdWare.MultiPlug.r5 (Not a Virus)

5.15.14.00

Reason Heuristics

PUP.Installer.SergiyMaratov

15.5.22.14

Rising Antivirus

PE:Adware.Dropper!6.1AB0

23.00.65.15520

Sophos

PUA 'MultiPlug' (of type Adware)

5.14

VIPRE Antivirus

Threat.4150696

40432

Zillya! Antivirus

Backdoor.Klon.Win32.1086

2.0.0.2187

File size:

1.8 MB (1,929,512 bytes)

Product version:

2.5.0.0

Original file name:

both

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Language:

English (United Kingdom)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\temp\setupytb.exe

Digital Signature

Signed by:

Sergiy Maratov

Authority:

Unizeto Technologies S.A.

Valid from:

6/24/2014 1:43:54 PM

Valid to:

6/24/2015 1:43:54 PM

Subject:

E=SergiyIvanovich@hotmail.com, CN=Sergiy Maratov, O=Sergiy Maratov, C=RU

Issuer:

CN=Certum Code Signing CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:

774A5B60838D600A3706CAB0BC5A6286

File PE Metadata

Compilation timestamp:

8/2/2014 2:04:41 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:mLd8kOhDgI/8K8H2tzLQgDWldD4jcObB3qCyTT/uX:jklmLPKlibBKOX

Entry address:

0x1918B

Entry point:

E8, 87, 7C, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 78, EE, 42, 00, E8, 6F, 0D, 00, 00, E8, A2, 03, 00, 00, 0F, B7, F0, 6A, 02, E8, 1A, 7C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, C3, 45, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.9190 (probably packed)

Code size:

142.5 KB (145,920 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

TCP (HTTP):

Connects to c1.stylezip.info (54.186.255.26:80)

http://c1.stylezip.info/?step_id=1&installer_id=21879374&publisher_id=187&source_id=0&page_id=0&country_code=US&locale=US&browser_id=4&download_id=65638122&external_id=0&session_id=131276244&hardware_id=153155618&installer_file_name=setupytb

Remove setupytb.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.