ytd.exe

YTD Video Downloader

Greentree Applications SRL

The application ytd.exe by Greentree Applications SRL has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.
Publisher:
Greentree Applications SRL  (signed and verified)

Product:
YTD Video Downloader

Version:
5, 7, 1, 1

MD5:
3b55c73aa3c8a99c8150028015e13d20

SHA-1:
16411d2991c07b561445ab8adc914860f2de279d

SHA-256:
03f7b4c0c525562a7f3165c52075903c1e143f2272b94c7d3bb53677b2d24cd4

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
8/22/2018 6:44:49 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.Greentre.Task
16.6.29.15

File size:
1.7 MB (1,770,784 bytes)

Product version:
5, 7, 1, 1

Copyright:
Copyright © 2007-2015 GreenTree Applications SRL

Original file name:
ytd.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\greentree applications\ytd video downloader\ytd.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
6/16/2015 3:00:00 AM

Valid to:
8/15/2017 2:59:59 AM

Subject:
CN=Greentree Applications SRL, O=Greentree Applications SRL, L=Bucharest, S=Bucharest, C=RO

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
65DB5B5BDFCE9083EDF79253BABF4963

File PE Metadata
Compilation timestamp:
6/28/2016 5:39:37 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:OlGAOb7jo+x1PM1dJNB9dAbeDsyvTSteO:OlGAOb7M4idJD9M

Entry address:
0xB8097

Entry point:
E8, A4, 50, 01, 00, E9, 79, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 00, 01, 00, 00, 72, 0E, 83, 3D, A8, C9, 52, 00, 00, 74, 05, E9, 51, 51, 01, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07...
 
[+]

Entropy:
6.5209

Code size:
946.5 KB (969,216 bytes)

Scheduled Task
Task name:
{47F53C9D-7165-4CF2-AB33-D4EFED05B918}

Trigger:
Registration (Runs on registration)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (95.211.187.107:80)

TCP (HTTP SSL):
Connects to cache.google.com  (181.188.0.91:443)

TCP (HTTP):
Connects to redirect.fr7.hwcdn.net  (81.171.60.122:80)

TCP (HTTP):
Connects to host-213.158.189.237.tedata.net  (213.158.189.237:80)

TCP (HTTP SSL):
Connects to host-213.158.189.223.tedata.net  (213.158.189.223:443)

TCP (HTTP SSL):
Connects to host-213.158.163.204.tedata.net  (213.158.163.204:443)

TCP (HTTP):
Connects to ggc-node.ggc-rtr.niig.com.np  (202.51.65.39:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-amt2.facebook.com  (31.13.64.35:443)

TCP (HTTP SSL):
Connects to dh-in-f136.1e100.net  (209.85.203.136:443)

TCP (HTTP):
Connects to a23-55-149-163.deploy.static.akamaitechnologies.com  (23.55.149.163:80)

TCP (HTTP):

TCP (HTTP SSL):
Connects to a184-25-108-24.deploy.static.akamaitechnologies.com  (184.25.108.24:443)

TCP (HTTP SSL):
Connects to 84-235-77-18.saudi.net.sa  (84.235.77.18:443)

TCP (HTTP SSL):
Connects to 80-87-65-141-dedicated.ghanatel.com.gh  (80.87.65.141:443)

TCP (HTTP SSL):
Connects to 142.193.166.202.ether.static.wlink.com.np  (202.166.193.142:443)

TCP (HTTP SSL):
Connects to 141.193.166.202.ether.static.wlink.com.np  (202.166.193.141:443)

Remove ytd.exe - Powered by Reason Core Security