» ytdsetup.exe
Overview
Analysis
File Details
Downloads (359)
Network (1)

ytdsetup.exe

YTD Video Downloader

GreenTree Applications srl

The application ytdsetup.exe, “YTD Video Downloader stub installer” by GreenTree Applications srl has been detected as a potentially unwanted program by 18 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from www.youtubedownloadersite.com and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.

File name:

ytdsetup.exe

Publisher:

GreenTree Applications srl (signed and verified)

Product:

YTD Video Downloader

Description:

YTD Video Downloader stub installer

Version:

4.9.2.3

MD5:

e5ad02b795b4369d03a5a5537e380252

SHA-1:

0183a22c1ad666953aeeab669b24520b82410e15

SHA-256:

4cf883b4444b8039c5044d338d190bebd9aea2415818b6aee529562c8096c574

Scanner detections:

18 / 68

Status:

Potentially unwanted

Explanation:

This is part of a Greentree bundled installer, which includes various adware, toolbars and co-bundled potentially unwanted apps pushed to the user upon setup.

Analysis date:

5/20/2024 3:07:55 PM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

ADWARE/Widgi.102704.2

8.3.1.6

avast!

Win32:PUP-gen [PUP]

2014.9-151109

Baidu Antivirus

PUA.Win32.Toolbar

4.0.3.15119

Bkav FE

W32.HfsAdware

1.3.0.6979

Dr.Web

Adware.Downware.12103

9.0.1.0313

ESET NOD32

Win32/Toolbar.Widgi potentially unwanted

9.11444

G Data

Win32.Trojan.Agent.JQ5AGL

15.11.25

K7 AntiVirus

Adware

13.205.16545

Kaspersky

not-a-virus:HEUR:Downloader.Win32.Generic

14.0.0.1149

McAfee

Artemis!4EC0C81186BF

5600.6587

NANO AntiVirus

Trojan.Nsis.DownLoader12.dqgtta

0.30.24.2487

Panda Antivirus

Generic Suspicious

15.11.09.03

Quick Heal

Downloader.Generic.r5 (Not a Virus)

11.15.14.00

Reason Heuristics

Win32.Generic.GreenTreeApplicationssrl.Installer.Meta

15.11.9.3

SUPERAntiSpyware

PUP.YTD/Variant

9519

Trend Micro House Call

TROJ_GEN.R0C1H07CH15

7.2.313

VIPRE Antivirus

Trojan.Win32.Generic

42624

Zillya! Antivirus

Adware.Toolbar.Win32.343

2.0.0.2286

File size:

115.9 KB (118,728 bytes)

Product version:

4.9.2.3

Original file name:

YTDStub.exe

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\ytdsetup.exe

Digital Signature

Signed by:

GreenTree Applications srl

Authority:

Starfield Technologies, Inc.

Valid from:

2/17/2015 9:55:38 PM

Valid to:

11/18/2015 10:32:14 PM

Subject:

CN=GreenTree Applications srl, O=GreenTree Applications srl, L=Bucuresti, C=RO

Issuer:

CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

00C427DA8891A2EF29

File PE Metadata

Compilation timestamp:

2/25/2012 2:19:59 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

3072:CweqOYEUXPnD7Ozd8yNkaqJC94na4fWT9b3:/EUXb6yyKanl4fw9b3

Entry address:

0x39E3

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00... 
[+]

Entropy:

7.0231

Packer / compiler:

Nullsoft install system v2.x

Code size:

28 KB (28,672 bytes)

The file ytdsetup.exe has been seen being distributed by the following 50 URLs.

http://www.youtubedownloadersite.com/.../r.php?kt=pad&ref=6&abcd=IguNav40X6jJSixNDzgdaeGk6FVghPA9Ztu2ILQH0C75J981JuI2xeI7G9MFxednR6RF6rPpBOagKfVfqDGdG4S51ZZQUIEHI637SFFffbN0LxiRkXeWygXQdWdoM8932IlVbgbhnMmn5gcA4fGnWru1ypsfyBG9EHIgVmc93hmQnTi2JxcVh6RoS74GwPPVdo0ThGPcsoD5C03DG9Gfbs27Wmwwgqouqz0eCK1IT6vjzOyzz1GtyOh4ROq0QJeSpnMJnxqepDdyLzRtfRijH1xRJaF3XerTDh081CpjKQyJP9MoUJNzXsrzqvn6yJZHZxphARpyMZaQxEDuqMXCFoUVq0XNtGUJ8vik1cnpahQJflXUR2A16tORGI88OWsf3GFnzMJ57ibwESBT6DJvqx5Z4jS6MiC5ZVs1HR5rXw6oVSQUWa6WMKg4VNnFcj3iOxazgp9MEapoZe4Cvr9A7y2kinKfhgLCNX2xj6SGRwRs9nPB5HKKhRMTloGF1clzzDiehW74HxHGTt17KGwSQhd0YRQwULtbYhyvbik0j5cT8tm05RcTNOdxzR8JaZybZhHXzZQ4L0xgyeuqaRFeCowjJvYJZgVcQUWAq2aPtr8wgdQZgZbDSGIHNQlD6L9P0qUahYvY2xkY0evTWZzmUNCU8QJTeMcHKvJ1s57V3c4c80mp1PPHM6P9ERR8kJQ9fskb0U9hyqvV7mZD6YYdrBvmqtCX6Ni4Gx2bCJ9RLqfQbyohWhYAtsWC4PpOwZLTDf1oP5zOPDVXY7D278el3TIAss1RgavN6VfFGoda1iMdBz260eCsVXw0JKU3n3215VXq3HSTZrkNALgT9wHuKcxsQav3KgYjRhv002LkweZQeQh3tdu5sZimx07wPWzAtxloj2BEpjrjR6U3ZTO89bfJBz7GgEuI

http://www.youtubedownloadersite.com/.../stub.php?pad?EsetProtoscanCtx=c5a01b0

http://dwpy5in4xoq28.cloudfront.net/MxPEzH2XGa35hUK2qqv7GQlfOW0A_MOdcMMhOCAbs5k

http://dw1dz03mith3v.cloudfront.net/KfNe-6ipKRPRTYIJaukWq2CoM5-pssWX7GfatxMOWno

http://d2gtff3vajafvv.cloudfront.net/BXdfbcu3b-XVVlC4CduEFUJthQpr2f2ztMLj4DkLT8k

http://d2o8uvkp1jss5f.cloudfront.net/tawepgsiQiATq8NHycnbWkyUHfB_fijf2RkRaWfDFhI

http://www.youtubedownloadersite.com/.../stub.php?pad?EsetProtoscanCtx=95658a0

http://www.youtubedownloadersite.com/.../stub.php?pad?EsetProtoscanCtx=bd91880

http://d3omehipas19zx.cloudfront.net/MCKrdWWidC6puyr1uwg22au9m9tB2--GEPfO0ywihRU

http://d1hesn2oayq7pq.cloudfront.net/iBtpBOXEJPmVVm7uLIMpju1-6gz0JFRudyKlVZVP3mQ

http://d1qgp4bhdr8mag.cloudfront.net/Bhe9rmPeFzrhZHW9cB3cXqZt6FKKxDJ_uFDxnjY7OfA

http://www.youtubedownloadersite.com/.../r.php?kt=pad&ref=1&abcd=axGuovlwx0a7meuy8yGKE2LlvTbSfCC10H6OxPcV4Lw33ShYkZCcg71QlhnB64clIBGr5DbMmm94xiYlMLlSwiMVumGN6U1HOeXY87Afp649uYlP8e1BUGpGWHfNKrs4FGS7Y2n3jZRngH7xJVaQFT4gJAgltUPtd44SCbbuGTEGKqcnXJfTlDUdj64leNdO2HI9DZlHcsOf1xHzqRROUer9jjYwRFBgv8whBM0yzI0oClOLfl1H6uOpcOj0EOijkMHirkDx9ItAbSWw0EMaJN2O4THjshkwzC8FwqMxxZuXzGjhdPqPrZLzTUq0809bYF9n5oNyNArpOWBrvJ1XgxQaXeSyV5QQXzOfBQDROILkBM3EHlCZNyfNAGtID4XTTlEPIa8Xvqsvch6YDbBxGLNlsiNyqxv3xVkaeGomaSnBxtQ7J4f14z5lfLos6XlcReBVf6UUIJLoArQxZu92KYaqYX1NnuT3MpKN07epau4c7I2HgyCaSda35GBDTzJeYjEmyd6yaBld0W4kziYTK1AQweLCG2ZNFWHIfZsQ22GVpNurQAtF9l5z2LULJcJXVeeTpTNYQAMrXUfz4oLvZELGGhLRLg9KqLTw0Qno2qaZvUhuZzZveaGuCHtxKsJiT0VcbFp70m50HYCqcSxhUpbCJ1w0ArdAffrbz5Ryjp3VkVw4evJpFWOm122RLqJ5gqeyXTOhQrjnrzSJYXlNU0mD0177Y3fvF0Zz4COWxlKpfUWrIQtvbc7r1MDJniCoyVYvzhshotCNoCtJLmEpvN4cKrl6a3Srw1V3ogTW22cKNx4dm4kZ8p6MExReUh7KZL4FNoXz8YTJaRdMhquHbhUHqGopsrlh6j67VMT0xkzjbOGqcigmUz3q6vkH4Pw51csUUxQ8D4qIlI6TcUmOl7e01CfAf0ao

https://docs.google.com/uc?authuser=0&id=0Bwo9KepIMft1djY3NnJMNFZfTUk&export=download

http://www.youtubedownloadersite.com/.../stub.php?pad?EsetProtoscanCtx=b44bad0

http://d2es2fbla50yw6.cloudfront.net/v_U0ZSN1JuzbqFFTsNzEFEGwHjTHtTVHdCKrpuJZ4SE

http://d2t8v1i3iglqby.cloudfront.net/TtIKyYZrqtMiH3W6sTxEJzwOOZZ1kCAFeUcsiIG0OFY

http://dlg7wjocenzyn.cloudfront.net/xFMJiGg7njP3kEtj9XVWHArSF0kDu9EMus8QDigbwN4

http://d24klp8vdt99ag.cloudfront.net/zuBWl75hxyUihueIrXYHP4z9mU9Y1qznyMX-8CJu4G8

http://d1ceomm36okoua.cloudfront.net/GCeGDaHNRRuiKWsQSqrbCURfJ2lf0cYqZHQERp86m2U

http://www.youtubedownloadersite.com/.../stub.php?pad?EsetProtoscanCtx=239ffb8

http://d3xlesjnyq4u0.cloudfront.net/0eLLPYKw8e8UVI9QzjuKtdGjwNmzZDPD9ZuaMbIm74I

http://up.bav.baidu.com/?rh=640BAE49CCCF41A43D673EEAABBC4D78&baidusign=26458221&baidurand=15514

http://www.youtubedownloadersite.com/.../stub.php?pad?EsetProtoscanCtx=768d8c0

http://www.youtubedownloadersite.com/.../stub.php?pad?EsetProtoscanCtx=e94edb8

http://d1p08r05q0970r.cloudfront.net/Ed0Ip13kzXasAybABqZ66fzLzv7NTEw-jTm0AYQRQ24

http://www.youtubedownloadersite.com/.../r.php?kt=pad&ref=1&abcd=3EoR9edfiSXWnGkyzlJhdOYHk6sDpRagxMGPif1bwHE61CMgEZb16LMwBpxfe09NFcQp57AjMWPUhCM6TVu8tzoPfvNX6N8qpfl4jhSvzd17jitVc7LYm7UMU6VLJ1aqdVPOFHOodlUnF5x8SggEClPKUEwYlQAqA0vfMgRKauGs4vuskQx8Atb0iBWnn8HSNd3fxqQbKoLliNPErkGrV5rbfRibBlzcRx4AJ4yNXU2L7JyJq4DfLsBnIwAvnWJrsrM0EA2wUhS5fF2aCDfMpjRLTV9XF57QqaYFeyAKpzAHv1vDaMNxTODnSJ1tXe3llGlgoh70bbGojYTpcUtdCZR1r7mKXQgzgzqoB2P9l9EFC2Tm9UmdGF42k8dVP77f7Qvn3JTNH9SHKO66qNgtc5tvzaH3VyFVjuznJ5b9yJTEAozQvy9P3CEIHwrJKql5BCtT9PyPY2GNZZMsOwjnCGcQr6pNvjDd5W4bYAzOuVIJrNlr3bvC1jFTymhtVj2XxATg0861dqm4yg0iOUS7QRobmzZQ4XpyjniPm0idHFjJ97bTWWw0OqiepBnETGyKZ4UJz4pEmiiCIyk0lIHm0qQRO9fgDxTB4CaxJ5ssJbvA1uYBN5WxPkEcgIAEp4DPyOg7DRtl7qiyksXQojGV27uHrKJHTJu5DpQNs5noHAPvfQwPqWkMfe693IBD4GBYmabzJIQLCGYwn97sqjimhy6v8gGzIjx265UfHCyPJGbVVCZF6kmQmsOpr83KuJ0V1SWN5lzuBz2A2USyKZtM9yUildXDxXAI6VdneXUFiXUMuzWyHJl6d0zIB46zf9WshxfIkTiAFCvwjb5Y4GbzaXv8IKLKlb94KcX8W4GVWqSstpW02BrvqlIHF3vUUSTbzRboRATGqYqOCVAlDEa0FVVmJR29CCLR

http://www.youtubedownloadersite.com/.../r.php?kt=pad&ref=3&abcd=QgwvUQcDqa7qvVhqDC3p64PFdBMeRpALP20dCFE7jyyp5ANo4AbL2m0c7CrSYb00GEyQ8NBFbaT8OOiovjYgmAVnFJssPKQknHpCl3CWXpTl3Xaigw0sNtbFWfQsHO0W8ZSnLsyBUSNMtartvKkxZrArr2ePT1wVFktUQwpPFFxXNgw5QOnaf1nBPHvn6tihSqcrqe1mnoc321rq3abAKUCUwpUni9U8NZCumtRqNW5sWRVlvVHeeR7Sc09Cx4Jn5mmr41OYHwDEBRoZXa6tqljBAJJXXf1EOK2tLxV7rtiikWqcfhxG9kjoov2XiDbllf4aHAyMFn6SA4MoBYiRqEpPVbqeRQV563aHOhblTnHtRgKlp5qmZH0COQlTs5tAnZVfNBomQKUyQkTPSp8i0p1DXOn7Y6DdQTZz5yGmhO9kqE6chBUzr5crn4anhjzErtYtjOFYeUUDN8UW452QgJvfGlFRlYHG1Wxx9G5VhedahzEtUcS5H7dYzTqppOSEq8W38IQuuL1Cmv6WmgRoo2pk4Pmsws0aCt7JYAMgEz3idOCxBdekXPtzIN9gnVv2JvTBbX116Juuz1aQbF3t4Xa4IfPnBFP9I3sjYvbWHK8oaqXs6U7unLnmfOUn3MujVPrKtlSsMvT5nCyYu1VBxKYRO01bZ8AxR01KXGMUbK9yfktADs7d94mtMbxFQQEJVrxmAHeI4mX2DGIFb5K0vgdSwsB41jrocO344vudNJxbfwupevrPmgmUBpexonkFgvxWjB7jfRyYUv6LY29fntSJDOkyAO4TPmnY0bRdiGR3RYbkyeF6l7QMhiExkLpzb4U5l6UFBRlESJ5CGUiYWggWNQRYP0Yh26AKo2auRxlTFcWWykosnafmOurxWHaBkVvpF3nLCDAzZ6YsiFMfNeKGzBIvqSyM

http://d2h30s8o7j6ngm.cloudfront.net/GKxKukYW8xCtZrjkmAQ9WitpU6RfH45QweJ7tYcbqiU

http://d2g0gquay5sqrg.cloudfront.net/YTD_oK2W5LvAQHc2Uj4pYrHC9KW5WSr5Kj3f5iyNNlY

http://dnhrmk14v9797.cloudfront.net/TpP6sajG1RlCfDa_btYcAICtdkBsYrUwt7Q4t7HIFLo

Latest 30 of 359 download URLs

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to hosted-by.leaseweb.com (5.79.67.111:80)

Remove ytdsetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.