home

ytdsetup.exe

YTD Video Downloader

GreenTree Applications srl

The application ytdsetup.exe, “YTD Video Downloader stub installer” by GreenTree Applications srl has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from d2twkqijaufij.cloudfront.net and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.
Publisher:
GreenTree Applications srl  (signed and verified)

Product:
YTD Video Downloader

Description:
YTD Video Downloader stub installer

Version:
5.8.0.3

MD5:
1f499f7ae0ee3054e53a4d005b9a29d2

SHA-1:
b742a0da8b99956ebd4f4d7ce7631656d8e53115

SHA-256:
c3caccde894f7553662f79a71c9ca2ee5de2c48db9e3c1a6d256be56f507c4fa

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
This is part of a Greentree bundled installer, which includes various adware, toolbars and co-bundled potentially unwanted apps pushed to the user upon setup.

Analysis date:
4/19/2024 1:11:46 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.GreenTree (M)
16.8.25.15

File size:
115.9 KB (118,728 bytes)

Product version:
5.8.0.3

Copyright:
(c) 2016 GreenTree Applications SRL. All rights reserved.

Original file name:
YTDStub.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\ytdsetup.exe

Digital Signature
Signed by:
GreenTree Applications srl

Authority:
GoDaddy.com, Inc.

Valid from:
7/27/2016 4:55:38 PM

Valid to:
11/18/2016 11:32:14 PM

Subject:
CN=GreenTree Applications srl, O=GreenTree Applications srl, L=Bucuresti, C=RO

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00B06D48A15E485DEF

File PE Metadata
Compilation timestamp:
2/25/2012 3:19:59 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
1536:dVdePelp2Xy+tuQOzOYE5aXPnD68gkW+RoeGd8yNkM/Dk22WbCwF8B5HyTWBCIbm:GweqOYEUXPnD7Ozd8yNka9bCt5kYCoDi

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.0223

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file ytdsetup.exe has been seen being distributed by the following 50 URLs.

http://d2twkqijaufij.cloudfront.net/P4McHhU3lA9KH7-kI7BWGPNWvYW-kBD4qxhyVKyrg9Y

http://d3ffz50bq9ivyp.cloudfront.net/315NZfWypTmLUu_6wrEsjj55y1NOZI1WPHJSkpoDIJw

http://d2rdes1clzfm66.cloudfront.net/7ZNSTs0p6j-JlwueKYaSd4ai9QPMSevGNE3AJVXfRq4

http://d17pqf7x9h1r6e.cloudfront.net/kYf4CR3q_iu4Ey_NFeFwnHCt-GP1hHHq43CzT1RAj5o

http://dz0jye7ec73dd.cloudfront.net/CB6IG70BkRPI9ntgMd2kktiynk8sufLkhOEhZZmLuGc

http://d2u5vyt6p5zr46.cloudfront.net/ROiHn6qTOeL7ngAd65GG-KwKSe3zShy1uB_1CvzTcgo

http://d1e8fpn1y1hlw0.cloudfront.net/i5r05umnkm0h6VC4LiB_B8unA4Qxi33PQXUidT8Ez2k

http://dwmc3fvns8co1.cloudfront.net/Xq5aeOpu-A9Ewv2exaGQM-sjvszOmqaGU91XTUkfNsE

http://dkh19lrax3tz6.cloudfront.net/6ZTYpe5P3bSv1gfgfHjnXzfzUaJSnGzyAeenxjDb7C8

http://d18rtb9bij1s0s.cloudfront.net/FGgE4UIYCuIULA4VlE9z1lRCY1-UORNVVdC-AB0Ghf0

http://dzymn8gg8p6et.cloudfront.net/aVRdgc4ycDrRto_ag0UceoGV7K4X3pkcOZ9fqNFHdec

http://d26bek1nfjkfqx.cloudfront.net/wTufvvQ4Nx2HajcVZaSkHUEk_et2qxP35ZNMx4vfXEY

http://dca8v2016e06.cloudfront.net/iV24USNLRUpWVRYUdl0Uf3j3vvjpPe-ybrkpQeY296M

http://d23g9yv0hczani.cloudfront.net/ZB0xxgxaTgKTpXc8nNmOiSHA7MwPc626B_Pp7OE2vO8

http://d23g9yv0hczani.cloudfront.net/D9F3uq9cwMIsjDpfQnhXnThIMrH_SUtaqLO2oaoeC60

http://d23g9yv0hczani.cloudfront.net/qePH02sHpjAZdFsinenDQzJpqOsycIkguFkAkQeFoOM

http://d3urwjkt0yj0au.cloudfront.net/40UAt_14u02Ty8Lj92UADKwKSe3zShy1uB_1CvzTcgo

http://d23g9yv0hczani.cloudfront.net/V5x0dvfQbUWisLGSuqEMJPawMwNOUs0AK5t53mUCDmM

http://d227sk8vu3wybs.cloudfront.net/jg1dc9U1BvHMZX9yKdxPyU1lI3sid157MRgqc79qsBs

http://d2wom5kxy09p97.cloudfront.net/nl8mZ8gkBgn_i71sgW1X4GX9m08XuiK4DNfwRvRf4-M

http://d2naq5bf7kzbua.cloudfront.net/pS-3d5fst_ezNHUrQoay4_CT5UD1LJl0uiIMkLPOzUo

http://d31peeogme9ec8.cloudfront.net/jlbApD56O2A7A61BEtDucext84JfakpcqRts9Y5o444

http://d1uq9z4p8a43ed.cloudfront.net/2lfkDi1kxYugHOxKPlCF6xFTZyeTNVPH0lb5OA8d7Mw

http://dipczupvemlxw.cloudfront.net/tfAf9BrJrLNUk9TcY9UWhlkjJRkhlYH-ExYDAG0Xieg

http://d2wtmfs2zr6fjx.cloudfront.net/omuenVI-bYZLppnAc_2XDpDfRVxiBMZKWkrGdtPB-Jg

http://d3en8vzf2kk06.cloudfront.net/ImEyTY78E4bJVaSe8F0ydlNpkiMGJ7sgec7N3A_FAzI

http://d1vwa0hcl5002a.cloudfront.net/3MOeFBxPAPxv2PJinBVStwgpvv9k7dsVtVEjNmVlQ_8

http://d1m5f2dhunte7s.cloudfront.net/setup/.../YTDSetup.exe

http://d1nakaeyv32kz0.cloudfront.net/XJKJnkmaXvcE4aCGkZY9tcABsYXXHnFjILkow2ibF1A

http://d19pxvvxecmqhg.cloudfront.net/2_VajUetVoSPJ2vw-spGm64WLUTDqFCiprByD5D2cy4

Latest 30 of 142 download URLs

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (5.79.67.111:80)

Remove ytdsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.