» ytdi_getdu_setup.exe
Overview
Analysis
File Details
Downloads (6)
Network (110)

ytdi_getdu_setup.exe

Goobzo LTD

The application ytdi_getdu_setup.exe by Goobzo has been detected as adware by 27 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d38jew2j2gm6li.cloudfront.net and multiple other hosts. While running, it connects to the Internet address server-54-230-150-243.sin2.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

Publisher:

Goobzo LTD (signed and verified)

Version:

2.2.0.999

MD5:

8b9eb7828126c0e4f78c662d71a9209e

SHA-1:

6097d26caae75ac5e41f409220fd63a34a86bfe9

SHA-256:

bb64154aea8139987454c389f68224f148aedfc859a6c66a9dcb0fa4af6cbf79

Scanner detections:

27 / 68

Status:

Adware

Explanation:

May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:

4/19/2024 7:45:38 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.Agent.PDL

752

AhnLab V3 Security

PUP/Win32.CrossRider

2015.01.14

Avira AntiVirus

ADWARE/CrossRider.Gen

7.11.200.132

avast!

Win32:Adware-CDO [PUP]

2014.9-150114

AVG

Skodna

2016.0.3230

Baidu Antivirus

Adware.Win32.Shopper

4.0.3.15114

Bitdefender

Adware.Agent.PDL

1.0.20.70

Comodo Security

ApplicUnwnt

20698

Dr.Web

Win32.HLLW.Unjap.280

9.0.1.014

Emsisoft Anti-Malware

Adware.Agent.PDL

8.15.01.14.12

ESET NOD32

Win32/SpeedBit (variant)

9.11008

Fortinet FortiGate

Riskware/Agent

1/14/2015

F-Secure

Adware.Agent.PDL

11.2015-14-01_4

G Data

Adware.Agent.PDL

15.1.24

K7 AntiVirus

Unwanted-Program

13.191.14631

Kaspersky

not-a-virus:Downloader.NSIS.Agent

14.0.0.2645

McAfee

Artemis!8B9EB7828126

5600.6886

MicroWorld eScan

Adware.Agent.PDL

16.0.0.42

NANO AntiVirus

Trojan.Win32.Agent.dljgpg

0.30.0.64448

Qihoo 360 Security

HEUR/QVM10.1.Malware.Gen

1.0.0.1015

Reason Heuristics

PUP.Installer.Goobzo.Q

15.1.14.0

Rising Antivirus

PE:Trojan.Win32.Generic.17F42ABA!401877690

23.00.65.15112

Sophos

Generic PUA GA

4.98

Trend Micro House Call

Suspicious_GEN.F47V0105

7.2.14

Vba32 AntiVirus

Downloader.Agent

3.12.26.3

VIPRE Antivirus

Goobzo

36630

Zillya! Antivirus

Downloader.Agent.Win32.233223

2.0.0.2034

File size:

1.1 MB (1,185,664 bytes)

Product version:

2.2.0.999

File type:

Executable application (Win32 EXE)

Language:

English

Common path:

C:\users\{user}\appdata\local\temp\ytdi_getdu_setup.exe

Digital Signature

Signed by:

Goobzo LTD

Authority:

Thawte, Inc.

Valid from:

5/2/2013 2:00:00 AM

Valid to:

5/3/2015 1:59:59 AM

Subject:

CN=Goobzo LTD, O=Goobzo LTD, L=Haifa, S=Israel, C=IL

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

120B25DDE57B88636AD4D97D23B99C88

File PE Metadata

Compilation timestamp:

1/5/2015 9:08:34 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

24576:35Q8z2hgC21OpzdrwSwShwfpVpQKuadyu19hUIDscVjTtLXDMu0AuDSbXOh:pMgC21Opzd/Rafh6a0u19hUUsAPtLXA1

Entry address:

0x5968F

Entry point:

E8, AE, E0, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, 08, BA, 4D, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, 80, 87, 4D, 00, 01, 0F, 82, E6, E1, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2... 
[+]

Code size:

632.5 KB (647,680 bytes)

The file ytdi_getdu_setup.exe has been seen being distributed by the following 6 URLs.

https://d38jew2j2gm6li.cloudfront.net/.../ytdi_d6f0bceb96_setup.exe

https://d38jew2j2gm6li.cloudfront.net/.../ytdi_51e7919abb_setup.exe

https://d14pg9d93ifykf.cloudfront.net/.../ytdi_getdu_setup.exe

https://d38jew2j2gm6li.cloudfront.net/.../ytdi_50b1923fe4_setup.exe

https://d38jew2j2gm6li.cloudfront.net/.../ytdi_fbdd2d278a_setup.exe

https://d38jew2j2gm6li.cloudfront.net/.../ytdi_e7f7ab6da9_setup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-52-85-173-134.fra6.r.cloudfront.net (52.85.173.134:80)

TCP (HTTP):

Connects to server-52-85-173-252.fra6.r.cloudfront.net (52.85.173.252:80)

TCP (HTTP):

Connects to server-54-192-129-153.ams50.r.cloudfront.net (54.192.129.153:80)

TCP (HTTP):

Connects to server-52-85-63-110.lhr50.r.cloudfront.net (52.85.63.110:80)

TCP (HTTP):

Connects to server-52-84-174-192.gru50.r.cloudfront.net (52.84.174.192:80)

TCP (HTTP):

Connects to server-52-85-167-90.gig50.r.cloudfront.net (52.85.167.90:80)

TCP (HTTP):

Connects to server-54-192-59-8.gru1.r.cloudfront.net (54.192.59.8:80)

TCP (HTTP):

Connects to server-52-85-173-7.fra6.r.cloudfront.net (52.85.173.7:80)

TCP (HTTP):

Connects to server-52-84-132-189.atl52.r.cloudfront.net (52.84.132.189:80)

TCP (HTTP):

Connects to server-52-85-173-197.fra6.r.cloudfront.net (52.85.173.197:80)

TCP (HTTP):

Connects to server-52-84-174-6.gru50.r.cloudfront.net (52.84.174.6:80)

TCP (HTTP):

Connects to server-52-84-174-35.gru50.r.cloudfront.net (52.84.174.35:80)

TCP (HTTP):

Connects to server-54-192-59-42.gru1.r.cloudfront.net (54.192.59.42:80)

TCP (HTTP):

Connects to server-54-192-230-34.waw50.r.cloudfront.net (54.192.230.34:80)

TCP (HTTP):

Connects to server-52-85-77-57.lax3.r.cloudfront.net (52.85.77.57:80)

TCP (HTTP):

Connects to server-52-85-167-97.gig50.r.cloudfront.net (52.85.167.97:80)

TCP (HTTP):

Connects to server-52-84-174-40.gru50.r.cloudfront.net (52.84.174.40:80)

TCP (HTTP):

Connects to server-52-84-174-223.gru50.r.cloudfront.net (52.84.174.223:80)

TCP (HTTP):

Connects to tlb.hwcdn.net (69.16.175.10:80)

TCP (HTTP):

Connects to server-54-192-59-203.gru1.r.cloudfront.net (54.192.59.203:80)

Remove ytdi_getdu_setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.