csetup.exe

Installer

OOO ELEKTRO-KOD

The application csetup.exe by OOO ELEKTRO-KOD has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from 24online.feelfree4update.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
OOO ELEKTRO-KOD  (signed and verified)

Product:
Installer

Version:
1.0.0.0

MD5:
c6caf9f3ed996ec171905f111e9decf8

SHA-1:
79ca59d36d4f6afe48e947e284d088de84782398

SHA-256:
f45cbc2fa3aee6533cce589a52eed1876ee15d0f577c0b88f939989af84e817b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/15/2024 5:30:09 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.OOOELEKTROKOD.Installer (M)
15.12.21.22

File size:
319 KB (326,696 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2015

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\csetup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
6/7/2015 8:00:00 PM

Valid to:
6/7/2016 7:59:59 PM

Subject:
CN=OOO ELEKTRO-KOD, O=OOO ELEKTRO-KOD, STREET="109428,GOROD MOSKVA,,,,ULITsA IBRAGIMOVA,35, 2,I KOMN.14,", L=Moscow, S=Moscow, PostalCode=109428, C=RU

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00D1727DFA82A3E28C73A633A65CE817E4

File PE Metadata
Compilation timestamp:
11/2/2015 6:02:59 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:ko4yOOFCSi0q5opjWFxYX0x6WMOHGkHo0P9sUq/m16ueh9FKx:ko4yOOFCSiD51+XK6WMO3HFs7O2Ix

Entry address:
0x4E71E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.4404

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
306 KB (313,344 bytes)

The file csetup.exe has been seen being distributed by the following 45 URLs.

http://24online.feelfree4update.com/dl.php?pcl=sr1h1rUkCvSrZ7fK9556KbM9XTVt1NQhLfKL0529Gyk.&cid=125256379831&SUB_ID=320819&conversion_id=14506971740327&app_id=4&lp_id=1262&v=clean&stub_id=296&v_id=wAXJzeV2eMxn9y_p-TP7VEwq16_K5Tsq6YjozDhlg1U.&lpp=*-*-*

http://autoupdate.whenupgradeswork.com/dl.php?pcl=sr3a4isFgV3Z6jB3hcfpjz-o0cyqKXAErM3IB-OBnmc.&cid=152384003892&SUB_ID=298224&conversion_id=14527872007867&app_id=4&lp_id=1362&v=clean&stub_id=296&v_id=PrtZ0HtDueROlwKf3Zy926ARe1t7n9JC7PrIco7S5tE.&lpp=*-*-*

http://newalways.how2update4u.com/dl.php?tract=1cL8tg2jTdxg5YCtWjZ-Hh_Qpw0kQu65zUKm6LBPNxk.&cid=164566190502&SUB_ID=365862&conversion_id=14552085820924&app_id=4&lp_id=1408&v=clean&stub_id=296&v_id=jROHAvjNcd7qorUEmPGbWfbA6CEtSI_TT8fxGoY6BT0.&lpp=*-*-*

http://soft4update.whenupgradeswork.com/dl.php?pcl=-mcGhMqwJsLjaFrFDxeW2V765h6Ls6A8K2Lc-xmGTGQ.&cid=136776164141&SUB_ID=462464&conversion_id=14527874499600&app_id=4&lp_id=1362&v=clean&stub_id=296&v_id=x_VYNy5DEqwV299OcmF-uB-cddILwLjmKh8ZFwC8oTI.&lpp=*-*-*

http://soft4update.whenupgradeswork.com/dl.php?pcl=o9oae0_3w2bkmsGxlkmFVh-ZSlkxfh6Z11cEl9e7GlU.&cid=136762742931&SUB_ID=489271&conversion_id=14527862829753&app_id=4&lp_id=1362&v=clean&stub_id=296&v_id=FLEPP1bwvH7R7tj5ICYqV8csj_go6BV8Ix7OB-BAtfI.&lpp=*-*-*

http://alwaysnew.feelfree4update.com/dl.php?pcl=6FYiUrpx1tUc8lf9fBjgRUv01wiIwHk7961wnL8eVHE.&cid=126835811254&SUB_ID=19399&conversion_id=14504406823750&app_id=4&lp_id=1003&v=clean&stub_id=296&v_id=uEq7DXa6tWVi45FVMpgU_7XgjIEa2kjOGrJmiXURkZA.&lpp=*-*-*

http://alwaysnew.feelfree4update.com/dl.php?pcl=6FYiUrpx1tUc8lf9fBjgRUv01wiIwHk7961wnL8eVHE.&cid=126836532004&SUB_ID=447284&conversion_id=14504408136003&app_id=4&lp_id=1003&v=clean&stub_id=296&v_id=ZSg13CWLnYY18juLadNmUoIzwCXnhgud_JKTy-TeBoc.&lpp=*-*-*

http://alwaysnew.feelfree4update.com/dl.php?pcl=fX0j4Q1mpL0-Kra_LBXPjPEuf-rp2hSRTOCdYRPh9YU.&cid=124024825711&SUB_ID=462464&conversion_id=14504449612939&app_id=4&lp_id=954&v=clean&stub_id=296&v_id=Gm54_zjrVBcz-ABCVdzqUZxvfI4YYrwjJ3_Qx9WJNus.&lpp=*-*-*

http://soft4update.whenupgradeswork.com/dl.php?pcl=o9oae0_3w2bkmsGxlkmFVh-ZSlkxfh6Z11cEl9e7GlU.&cid=136767290681&SUB_ID=447284&conversion_id=14527866857553&app_id=4&lp_id=1362&v=clean&stub_id=296&v_id=oI8NksQ87M_EC8RkcXtev-RnwffIyy5U-fDV0grZKHw.&lpp=*-*-*

Latest 30 of 45 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove csetup.exe - Powered by Reason Core Security