home

ytdsetup.exe

YTD Video Downloader

GreenTree Applications srl

The application ytdsetup.exe, “YTD Video Downloader stub installer” by GreenTree Applications srl has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from d1lweah1ynfyz1.cloudfront.net and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.
Publisher:
GreenTree Applications srl  (signed and verified)

Product:
YTD Video Downloader

Description:
YTD Video Downloader stub installer

Version:
5.8.0.3

MD5:
36a697927e794f9b8bbfbb29abbfab5e

SHA-1:
7ae6612ef8eda910b1fd0e307af0bba702e69784

SHA-256:
4002d587c3aa2cb73158e4a31f694ea1480737069cad76c460c5dda4c6261bdc

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
This is part of a Greentree bundled installer, which includes various adware, toolbars and co-bundled potentially unwanted apps pushed to the user upon setup.

Analysis date:
4/18/2024 10:41:39 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.GreenTree (M)
16.8.25.15

File size:
115.9 KB (118,728 bytes)

Product version:
5.8.0.3

Copyright:
(c) 2016 GreenTree Applications SRL. All rights reserved.

Original file name:
YTDStub.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\programs\ytdsetup.exe

Digital Signature
Signed by:
GreenTree Applications srl

Authority:
GoDaddy.com, Inc.

Valid from:
7/27/2016 2:25:38 PM

Valid to:
11/18/2016 9:02:14 PM

Subject:
CN=GreenTree Applications srl, O=GreenTree Applications srl, L=Bucuresti, C=RO

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00B06D48A15E485DEF

File PE Metadata
Compilation timestamp:
2/25/2012 12:49:59 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
1536:dVdePelp2Xy+tuQOzOYE5aXPnD68gkW+RoeGd8yNkM/Dk22WbCwF8B5HyTWBCIbo:GweqOYEUXPnD7Ozd8yNka9bCt5kYCoD8

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.0224

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file ytdsetup.exe has been seen being distributed by the following 50 URLs.

http://d1lweah1ynfyz1.cloudfront.net/Wdj0PYoj8z7JAN0gM2BFlRHG9oTgNP-3l5RaufRjelM

http://d16ip6v22ki428.cloudfront.net/shIRB3VdKSQRuieKKaRuCz761FsI9U_PbOOirjPANXg

http://d2wom5kxy09p97.cloudfront.net/kPvoUYtcjPlMZAeuamxf8H6bYXuhhgSZKO9DdIdB4B8

https://d6qpl3kt25h85.cloudfront.net/BT5Uc7ftzAoM6dw0EBHmTfk5x8ok-djUpcsTDccNqPI

https://d6qpl3kt25h85.cloudfront.net/0GAXuDJahvaJQGCpzUZyUKPhBbVReTYic8Zcl6gTht8

http://d2jx5nsjnh7osv.cloudfront.net/-DWoCtRAmM_Y8pyHwGDdypO1ELFS5MsvTeRCWk7lY6E

https://d6qpl3kt25h85.cloudfront.net/2u4dDwFqlIk91KBQ1h3ayi0AsADuAubH26iW8Mrg5us

https://d6qpl3kt25h85.cloudfront.net/9x6ChbkgjNG1P7egV6fuea9Xa-wNyXygLRNgklTWTh0

https://d6qpl3kt25h85.cloudfront.net/6OOb6rtdZHXZRCj9er5hj1S3p6b7OQUdRPfimvnPap0

http://d1aotkpxwjbrk.cloudfront.net/wNvQXuyA7QKf3AakwcQsntctc9TlV2JJr3Zh5ZgtHPc

http://gsf-cf.softonic.com/218/25c/.../YTDSetup.exe

http://dwqybbctjuexe.cloudfront.net/cu5uBlW0POB8Wt5fp4Nvhlacy4VMWAzkLninocZFsiE

http://d346fuo5a6a33i.cloudfront.net/VC_S1N3LYLfqy7MNWF796eB_a3urDgf_w0xnllRawps

http://d3orp0wohm590q.cloudfront.net/UugaHMfRE2vaBrPkufUBUpBuYp2-Za5hCMFE1TZMh_Y

http://d3ml0bzy0jmwje.cloudfront.net/YLseuhITEYEgeeVhcYD6c3K1wpo9oNEh2SBKJri85Io

https://d6qpl3kt25h85.cloudfront.net/ksppGcv8NzlEk0lNz2npHhoF9q4xvGIZLBiN98xFAdw

https://d6qpl3kt25h85.cloudfront.net/ZXo0ngVGs5iYxgLvtqCLiRjCfpQdnkLF-SugYcPtk0I

https://d6qpl3kt25h85.cloudfront.net/ryM0spKUJ9v5e12FrGmJvtclYzDGh_Y-k3cdPh59E9U

http://d2wdfaqd588ul9.cloudfront.net/LS4Hr8tVlfzAdyQLfJvrDMeqR8rNoQNGBviVy_SPhRI

https://d6qpl3kt25h85.cloudfront.net/15KUgjb1xPcJV9HdsMg28PiaSeGZaPhzvPZ_N3gmRYU

http://d2j289mlsnjb0w.cloudfront.net/3yr7mRK-vzkogh9J3VZsdDpU8nzdYP-Lq_c33wTmz8M

http://d1ed6t8c41hu17.cloudfront.net/0JJRTmfnVeaMvLVyRZ35Bvhm4l-Rtwtty0Lo2WvosOk

http://d245q3err0vu3w.cloudfront.net/1PKCMQ-IqT45m75wcUS2nsg-XSuTuwNEzQQhlqSiWiQ

http://d3vnr2o1elltq7.cloudfront.net/7ScjIW9_89RLK7q4KFzd0rBoCqXhyixxwNfxGmrLoQ8

http://d1skrrlvs8m748.cloudfront.net/7tsGsLPm7d4mXZ5aFb3An4Qbpq78Wv-z19Kmi-DQOo8

https://d6qpl3kt25h85.cloudfront.net/lXHUBIfoVbXcmsUF5jiNi6uOQsGdIXVJ8kZcg4lkv6s

http://d2foala3sjfd69.cloudfront.net/TG4W_4jSLIqnd9CqUOsb6gcNNWnlFp1JTVh3zs0aj2w

https://d6qpl3kt25h85.cloudfront.net/P9lJBa_wkMZgJJwon9LoI4nQ68J8EY0AuiKGboLEjmQ

http://d3v492qjvpfhjb.cloudfront.net/AhOqLb63SBZeTPoi6Nv13RVjXE3jOcVKA23KGANUZWY

https://d6qpl3kt25h85.cloudfront.net/ZOFXMychHT5IVc-eCQmVTMNmFbxbktQDdZ1w7uUoR3Y

Latest 30 of 157 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (5.79.67.111:80)

TCP (HTTP):
Connects to ch4plpkivs-v03.any.prod.ord1.secureserver.net  (50.63.243.230:80)

Remove ytdsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.