fyd_setup.exe

Rah

FlashDelivery (New Media Holdings Ltd)

The application fyd_setup.exe, “Rah Setup ” by FlashDelivery (New Media Holdings) has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.cycletagcurrent.com.
Publisher:
Cogosu   (signed by FlashDelivery (New Media Holdings Ltd))

Product:
Rah

Description:
Rah Setup

Version:
2.4.5.1

MD5:
6597a63ba32f5fd35901a0c3af38bcf4

SHA-1:
0992526bad62bccdaa814949f747830f1064271d

SHA-256:
78a3048bab5a33328ac18569f5b5a4c6ed4208c1c8f9616747fdf464fce6cab4

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/5/2024 10:26:22 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Pioneer-C
160518-2

AVG
Win32/Floxif
2015.0.4591

Dr.Web
Trojan.InstallCore.1910
9.0.1.05190

Emsisoft Anti-Malware
Win32.Floxif
16.07.07

ESET NOD32
Win32/Floxif.H virus
8.0.319.0

F-Prot
W32/Floxif.B
4.6.5.141

Kaspersky
Virus.Win32.Pioneer
15.0.0.562

Microsoft Security Essentials
Threat.Undefined
1.225.630.0

Norman
Win32.Floxif.A
28.05.2016 13:03:37

Reason Heuristics
PUP.NewMedia.NMH.Bundler (M)
16.7.7.23

VIPRE Antivirus
Threat.4760052
50434

File size:
1 MB (1,052,559 bytes)

Product version:
1.5.9

Copyright:
Web

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\fyd_setup.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
3/15/2016 4:14:48 PM

Valid to:
6/26/2017 2:47:33 PM

Subject:
CN=FlashDelivery (New Media Holdings Ltd), O=FlashDelivery (New Media Holdings Ltd), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112107BDB832CA5BF7FCACBF752B12BBB5B7

File PE Metadata
Compilation timestamp:
6/19/1992 3:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:rMIfKukoKZRHjoyfd+gZqMlMSgTKY6Og4+04w9rEH7u:rMIaoKTdPZqMq76J6b1

Entry address:
0x9C40

Entry point:
E9, 0C, D5, FF, FF, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.9396

Packer / compiler:
tElock 0.99 - 1.0 private

Code size:
37 KB (37,888 bytes)

The file fyd_setup.exe has been seen being distributed by the following URL.

Remove fyd_setup.exe - Powered by Reason Core Security