» ytdsetup.exe
Overview
Analysis
File Details
Downloads (5)
Network (3)

ytdsetup.exe

YTD Video Downloader

GreenTree Applications srl

The application ytdsetup.exe by GreenTree Applications srl has been detected as a potentially unwanted program by 24 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from d3876fpuz5dglk.cloudfront.net and multiple other hosts. While running, it connects to the Internet address ip-172-16-16-3.ec2.internal on port 8080.

File name:

ytdsetup.exe

Publisher:

GreenTree Applications srl (signed and verified)

Product:

YTD Video Downloader

Version:

5.0.0

MD5:

a069db9b63b16d13e2af133918c618f1

SHA-1:

35a0b0496c237c26e64f3c42897310537d436b0c

SHA-256:

ed5484944b52a091e94d990540fcf0c747ff3fdcba01a3281b6c62ccf0d7d6f7

Scanner detections:

24 / 68

Status:

Potentially unwanted

Explanation:

This is part of a Greentree bundled installer, which includes various adware, toolbars and co-bundled potentially unwanted apps pushed to the user upon setup.

Analysis date:

5/19/2025 5:06:31 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Adware-gen [Adw]

2014.9-151109

AVG

Downloader

2016.0.2930

Baidu Antivirus

Adware.Win32.AskToolbar

4.0.3.15119

Bkav FE

W32.HfsAdware

1.3.0.7383

Comodo Security

ApplicUnwnt

19644

Dr.Web

Adware.Downware.10873

9.0.1.0313

ESET NOD32

Win32/Bundled.Toolbar.Ask.G potentially unsafe (variant)

9.11871

Fortinet FortiGate

Riskware/Ask

11/9/2015

G Data

Win32.Adware.Spigot

15.11.24

IKARUS anti.virus

PUA.Offer

t3scan.1.9.5.0

K7 AntiVirus

Trojan

13.183.13504

Kaspersky

not-a-virus:AdWare.MSIL.RocketTab

14.0.0.1145

Malwarebytes

PUP.Optional.APNToolBar.A

v2015.11.09.09

McAfee

Artemis!8A5AE67E0CA6

5600.6586

NANO AntiVirus

Riskware.Win32.AdLoad.dxemmd

0.30.26.4437

Panda Antivirus

Trj/Chgt.E

15.11.09.09

Qihoo 360 Security

HEUR/Malware.QVM06.Gen

1.0.0.1015

Quick Heal

AdWare.MSIL.g6 (Not a Virus)

11.15.14.00

Reason Heuristics

Win32.Generic.GreenTreeApplicationssrl.Installer.Meta

15.11.9.21

Rising Antivirus

PE:Trojan.Win32.Generic.172F5263!388977251

23.00.65.151107

Trend Micro House Call

TROJ_GEN.R047H07HS14

7.2.313

Vba32 AntiVirus

Backdoor.Sinowal

3.12.26.4

VIPRE Antivirus

Trojan.Win32.Generic

31108

Zillya! Antivirus

Adware.Agent.Win32.75599

2.0.0.2499

File size:

10 MB (10,486,688 bytes)

Product version:

5.0.0.0.6

Original file name:

Uninstall.exe

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

English (United States)

Common path:

C:\users\{user}\downloads\ytdsetup.exe

Digital Signature

Signed by:

GreenTree Applications srl

Authority:

Starfield Technologies, Inc.

Valid from:

2/17/2015 6:55:38 AM

Valid to:

11/18/2015 7:32:14 AM

Subject:

CN=GreenTree Applications srl, O=GreenTree Applications srl, L=Bucuresti, C=RO

Issuer:

CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

00C427DA8891A2EF29

File PE Metadata

Compilation timestamp:

2/24/2012 11:19:59 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

196608:Yd17688NYWZakxSRbhL0QXZ5qWpYst4hBae3z/arUBGvc9EYCm7iWEo7FlGoVt:YMmebxSPLZ/qRBaGh4EmHo7FNt

Entry address:

0x39E3

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00... 
[+]

Entropy:

7.9992

Packer / compiler:

Nullsoft install system v2.x

Code size:

28 KB (28,672 bytes)

The file ytdsetup.exe has been seen being distributed by the following 5 URLs.

http://d3876fpuz5dglk.cloudfront.net/installers/.../YTDSetup.exe

http://dl-vip.appstore.baidu.co.th/.../YTDVideoDownload-5.0.0.6.exe

http://youtubedownloads.net/.../YTDSetup.exe

http://get.ytddownloader.com/kits/.../YTDSetup-887822600.exe

http://d3876fpuz5dglk.cloudfront.net/installers/.../YTDSetup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to 14.d7.24ae.ip4.static.sl-reverse.com (174.36.215.20:80)

TCP (HTTP):

Connects to ip-172-16-16-3.ec2.internal (172.16.16.3:8080)

TCP (HTTP):

Connects to hosted-by.leaseweb.com (95.211.187.107:80)

Remove ytdsetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.