ytd.exe

YTD Video Downloader

Greentree Applications SRL

The application ytd.exe by Greentree Applications SRL has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.
Publisher:
Greentree Applications SRL  (signed and verified)

Product:
YTD Video Downloader

Version:
5, 7, 2

MD5:
609bbb7d0184cfa90613bc173a4d02f4

SHA-1:
345c5db0eac30a037a78a791013703b4c4b40e3e

SHA-256:
d6939ad13412a8f5d21c454dd975429baca2824f2089086bedaa864a393891bc

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
5/27/2018 9:39:50 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.Greentre
16.6.15.13

File size:
1.7 MB (1,770,784 bytes)

Product version:
5, 7, 2

Copyright:
Copyright © 2007-2015 GreenTree Applications SRL

Original file name:
ytd.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\greentree applications\ytd video downloader\ytd.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
6/16/2015 5:30:00 AM

Valid to:
8/15/2017 5:29:59 AM

Subject:
CN=Greentree Applications SRL, O=Greentree Applications SRL, L=Bucharest, S=Bucharest, C=RO

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
65DB5B5BDFCE9083EDF79253BABF4963

File PE Metadata
Compilation timestamp:
6/14/2016 6:41:38 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:lp0BHE/K42QoZxTprXorstOTUwD50YGpxkIWlOFp2Cf/llJByis9542vZlKUORlp:4BkS/JJrYrh5opWYPFlJByis9vali5k

Entry address:
0xB8017

Entry point:
E8, A4, 50, 01, 00, E9, 79, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 00, 01, 00, 00, 72, 0E, 83, 3D, A8, C9, 52, 00, 00, 74, 05, E9, 51, 51, 01, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07...
 
[+]

Entropy:
6.5198

Code size:
946.5 KB (969,216 bytes)

The file ytd.exe has been seen being distributed by the following URL.

temp:ytd.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (95.211.187.107:80)

TCP (HTTP):
Connects to cac-lnx1.m.nwu.ac.za  (143.160.220.204:80)

TCP (HTTP SSL):
Connects to 144.193.166.202.ether.static.wlink.com.np  (202.166.193.144:443)

TCP (HTTP SSL):
Connects to fna-fbcdn-video-shv-02-fbom1.fbcdn.net  (157.240.191.82:443)

TCP (HTTP SSL):
Connects to cache.google.com  (200.105.131.14:443)

TCP (HTTP SSL):
Connects to 152.193.166.202.ether.static.wlink.com.np  (202.166.193.152:443)

TCP (HTTP):
Connects to vip170.ssl.hwcdn.net  (205.185.208.170:80)

TCP (HTTP SSL):
Connects to host-213.158.178.14.tedata.net  (213.158.178.14:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-cdg2.facebook.com  (179.60.192.36:443)

TCP (HTTP SSL):
Connects to broadband.actcorp.in  (202.83.21.77:443)

TCP (HTTP):

TCP (HTTP):
Connects to a23-55-149-163.deploy.static.akamaitechnologies.com  (23.55.149.163:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to 187.193.166.202.ether.static.wlink.com.np  (202.166.193.187:80)

TCP (HTTP SSL):
Connects to 180.193.166.202.ether.static.wlink.com.np  (202.166.193.180:443)

TCP (HTTP):
Connects to 173.193.166.202.ether.static.wlink.com.np  (202.166.193.173:80)

TCP (HTTP SSL):
Connects to 167.193.166.202.ether.static.wlink.com.np  (202.166.193.167:443)

TCP (HTTP):
Connects to 160.193.166.202.ether.static.wlink.com.np  (202.166.193.160:80)

TCP (HTTP):
Connects to 159.193.166.202.ether.static.wlink.com.np  (202.166.193.159:80)

Remove ytd.exe - Powered by Reason Core Security