» ytdsetup.exe
Overview
Analysis
File Details
Downloads (646)
Network (1)

ytdsetup.exe

YTD Video Downloader

GreenTree Applications srl

The application ytdsetup.exe, “YTD Video Downloader stub installer” by GreenTree Applications srl has been detected as a potentially unwanted program by 17 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from d1h148hlp4izuw.cloudfront.net and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.

File name:

ytdsetup.exe

Publisher:

GreenTree Applications srl (signed and verified)

Product:

YTD Video Downloader

Description:

YTD Video Downloader stub installer

Version:

4.9.2.3

MD5:

73850e3d094f812c1a842336e1d2913c

SHA-1:

c8b85feaf0a2330b3c8f9a63b8c73fa54d1b4048

SHA-256:

8aae1da3608b1ea4612861fc4c5f118b79512be0c6ce2fbdc115b8cde6184245

Scanner detections:

17 / 68

Status:

Potentially unwanted

Explanation:

This is part of a Greentree bundled installer, which includes various adware, toolbars and co-bundled potentially unwanted apps pushed to the user upon setup.

Analysis date:

5/20/2024 3:08:25 PM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

ADWARE/Widgi.102704.2

8.3.1.6

avast!

Win32:PUP-gen [PUP]

2014.9-151105

Baidu Antivirus

PUA.Win32.Toolbar

4.0.3.15115

Bkav FE

W32.HfsAdware

1.3.0.6979

Dr.Web

Adware.Downware.12103

9.0.1.0309

ESET NOD32

Win32/Toolbar.Widgi potentially unwanted

9.11444

G Data

Win32.Trojan.Agent.JQ5AGL

15.11.25

K7 AntiVirus

Adware

13.205.16545

Kaspersky

not-a-virus:HEUR:Downloader.Win32.Generic

14.0.0.1165

McAfee

Artemis!4EC0C81186BF

5600.6590

NANO AntiVirus

Trojan.Nsis.DownLoader12.dqgtta

0.30.24.2487

Panda Antivirus

Generic Suspicious

15.11.05.10

Quick Heal

Downloader.Generic.r5 (Not a Virus)

11.15.14.00

Reason Heuristics

Win32.Generic.GreenTreeApplicationssrl.Installer.Meta

15.11.5.22

Trend Micro House Call

TROJ_GEN.R0C1H07CH15

7.2.309

VIPRE Antivirus

Trojan.Win32.Generic

42624

Zillya! Antivirus

Adware.Toolbar.Win32.343

2.0.0.2286

File size:

115.9 KB (118,728 bytes)

Product version:

4.9.2.3

Original file name:

YTDStub.exe

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\ytdsetup.exe

Digital Signature

Signed by:

GreenTree Applications srl

Authority:

Starfield Technologies, Inc.

Valid from:

2/17/2015 3:55:38 PM

Valid to:

11/18/2015 4:32:14 PM

Subject:

CN=GreenTree Applications srl, O=GreenTree Applications srl, L=Bucuresti, C=RO

Issuer:

CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

00C427DA8891A2EF29

File PE Metadata

Compilation timestamp:

2/24/2012 8:19:59 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

3072:CweqOYEUXPnD7Ozd8yNkaqJC94na4fWT9bf:/EUXb6yyKanl4fw9bf

Entry address:

0x39E3

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

28 KB (28,672 bytes)

The file ytdsetup.exe has been seen being distributed by the following 50 URLs.

http://d1h148hlp4izuw.cloudfront.net/nyhug1UqGctiZ1SIZxLbmUNBDRpn2MssI-rFRFdL-DU

http://d2nus96b7v4xcj.cloudfront.net/jm9fxvsOSaZYHcrgOfJ3q6ANCngteUtBNHb0GEuuUVw

http://d3lb15u205m0sg.cloudfront.net/lD1hnrJ4RaifAIn5PxbpYd86BLrBTYpWr72A4Mv2jaM

http://d1iqyz8eet0wvc.cloudfront.net/IhSLCrxTvhqLtPED6o7pHseqR8rNoQNGBviVy_SPhRI

http://d2pr6zzobp459s.cloudfront.net/bbUwiW5kWSn2DKlJLcteB8AECZPG7Vja1JSM8cQxizY

http://dpwj3bi4f5kxr.cloudfront.net/0slNdh9FsDnOU6m7Z3kqn7vbcp8JMhkBRcawIJVg9dI

http://d1bbrx31nsg1mi.cloudfront.net/OiyEeHo3xVU6PAEdG6A27UhckKwn3Q43q7WehSDJ8Is

http://dw1dz03mith3v.cloudfront.net/oaR9q26gbZIsbJMS4uKXjBFg1mLrPgtGaHV38aICnUU

http://d2stx2vz9qec3q.cloudfront.net/nBL68qK4PadqbzFu2fDNjq2vErjxaVhjE6WjSEEFqU0

http://d3ohih6s64n4ng.cloudfront.net/VjpFK0bMENK4yky5CzDbj2dZYzCfOAyaKOISKkCBNG0

http://d2j84qhbv1dba1.cloudfront.net/jSeBivEheh71RxMxAJv5QTysOcvxRTOX2_JW4nSopGA

http://dmhlivukmtwob.cloudfront.net/jrROVVDz8TxavGcAcshW38jc1hb0dEeeKnUBsEucvic

http://d44z47hir11ee.cloudfront.net/Mr-ZObxL5iMpYHnqIMKzI28zMjfFu3bGARQBl2xn41U

http://d3udwk1faonmfx.cloudfront.net/C9DNrI3wnJNEhuz4VaA3FfcBlBfA03LZ9VuQcSJQaDI

http://d1i6g40x7lvxga.cloudfront.net/IWh4hyuxyMrUCYrdxqWXSdpvo4tDrF65p7xrw7tHllQ

http://d1bnp5xl7ovy3u.cloudfront.net/3LN_CSbqwLO1SLhS6B6zqjyj4pOWlHxlrQ9bO8QWJn0

http://dgsd5rtsay542.cloudfront.net/XTGxOOIkwwxQ590_tYJzLI1xiOrUDj26jWFxGvvkMN0

http://software-files-a.cnet.com/s/software/13/79/86/.../YTDSetup.exe

http://d2bnfdvagiyw70.cloudfront.net/fypsgMght67-yS9noo6r8nFBY3UScwTaa_89VwZyA88

http://www.youtubedownloadersite.com/.../stub.php?ytd2

http://dso3yqi1ze4o2.cloudfront.net/n8Aa4CiwOxpHUVTkAnrJVN0oRGrKU-7gPodVxrWqMQ8

http://d1vxrn05on2i0m.cloudfront.net/D4qL0CyPNAzncbN9bb_QkkdtJsZP7RuFdDJe6fU-X9I

http://d38bwwd2v1173s.cloudfront.net/USEGeI9c1e-4s9pHiuSuczM5komBuznHt5H1IiXoajc

http://d179o5ok6p37vp.cloudfront.net/E2TrE2hr1q3uicwFKSYDjB5ZeZiRMlYuM026QvNqup8

http://d1nstfmdmrnrwm.cloudfront.net/cmBYOT4hqZEwg4p9SDCFaZNxTTiQs9gjJUeddFK-B0k

http://djgd86jzdobof.cloudfront.net/tuEekkbYZIFN3aDZNSGdKGv9UY0V7u528V22KymAlKw

http://d3szoulydyd26k.cloudfront.net/hCKKt6LF4RQPemT0KwKJwULUMvJCt7ZueDVjV9gktJc

http://d39ty9n94nlpin.cloudfront.net/OpVW4SQkY_asDyt_YtbWeikRil0SVAEdqbD8uKFSHmQ

http://d25ya4byfqh1d5.cloudfront.net/Xtlr220yOkjzMREmksmGd3xtGw-HFmpjNDRg3Eos7gs

http://d25eb7snppoqnm.cloudfront.net/_Q81AscGUBc_wcBnexA5J22gdXxwnHXubXa9fxWP4ec

Latest 30 of 646 download URLs

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to hosted-by.leaseweb.com (5.79.67.111:80)

Remove ytdsetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.