fyd_setup.exe

Rah

FlashDelivery (New Media Holdings Ltd)

The application fyd_setup.exe, “Rah Setup ” by FlashDelivery (New Media Holdings) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The file has been seen being downloaded from www.cycletagcurrent.com and multiple other hosts.
Publisher:
Cogosu   (signed by FlashDelivery (New Media Holdings Ltd))

Product:
Rah

Description:
Rah Setup

Version:
2.4.5.1

MD5:
84287e379f3170e11d117dc9012ddfc3

SHA-1:
cfdd45e6fc4e55d29f01e95b0988eab373a9df2e

SHA-256:
168bcf600f6c8756866f6b2b0805fc7f3e105a16cd35877e3ce3edf14f0b5f9c

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/25/2024 12:05:18 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.NewMedia.NMH.Bundler (M)
16.6.13.8

File size:
951.4 KB (974,280 bytes)

Product version:
1.5.9

Copyright:
Web

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\fyd_setup.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
3/15/2016 9:44:48 PM

Valid to:
6/26/2017 8:17:33 PM

Subject:
CN=FlashDelivery (New Media Holdings Ltd), O=FlashDelivery (New Media Holdings Ltd), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112107BDB832CA5BF7FCACBF752B12BBB5B7

File PE Metadata
Compilation timestamp:
6/20/1992 3:52:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:oUKhfKukoKZRHjoyfd+gZqMlMSgTKY6Og4+04wZ:oJhaoKTdPZqMq76J6bZ

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.9346

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file fyd_setup.exe has been seen being distributed by the following 50 URLs.

http://www.cycletagcurrent.com/OJtiA r1uyTkHlF8a25xV0ybJJHCALctmJ32PGu0pNXXGLSllhl088Gfr1xD5cI8tTvybxT2_1NRNnlTKuPn Tl_GLl0WRQDzErRtULIKbrN69dPwvdLg6QBxUR19LCJJ_5ifTuCWhBqx8_hsWrC6EeOumXaZaHrFjkHk5Ea6um46CWSZV5iUrz9 ekbRDl55dQ8VleM-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/IPxm7mzMPtagXteCdg0GG2MiUEEaZYPlGfQkkNF6x8D7e8c2cL1wtlY1TML1okklyUKFpCvk0JtDi0wsImsJ2VDC_IBvfFxqw mJ3W xwTnsnkJEkVN_BqPb0Q7qaf4 TBfjXPdd6ZD1dyfypqKMzCJxrnD7DZwstLouWQ5nGzKwvmSFvx1uGJIMIFEl1BkftoZn47lj-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/P7pS4XQaXCFY3v_tVtTPY_oHQC3mIZN2LcXg85ak6oCt12vOgxyDp3z6WbftftbeqkNsuDx5jz2VJSgheCMo2CC4iSUrMuGmrN5Hxvoh5A0fqCuJtsv8FHSx4t6_f_bkQ0wtB2I4Gy67ceNIrCObTObm5hsB682ogie_1i6tB0bjHNp1Sc4=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/EFO4vSoNyH1M34w9vG_Tz0GmTrGO4KOOOV8jgdVqBzXRr7nJjlvb2BrQyiZ9PdYJ0iRHDuoN6NUO6JVL8LD7qf6hWIEAGM4ATka9ymechp3AYIlhXEpBi8qANquLeBSXFybVR TA1G_DHZNm6PTGZU0gIvM9Usjr1qEgYRQszrVlzstohll9L9gt8OEV0y0US6FV7L9F-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/P5Lzt OPNz4Y_hTgctwEjjFxkO9SJPj3zKxsRVurATNlQydZA82PFez3W8VQHFpyXQKwaQg3O0xhqNwQtvz3cdSTD8CljfoZVkW3zJlhVc8u9lAzj9q1SPkNZ6tA0gH4E 4tjn yCi_fgzrKXinxQfwdEGJX3ow5C3nr4hADST4kAytFxVvRcB1vXcP0hPyKRIhrcAf0-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/UTq8YuTJ6TaenCzqB0ItGczKLdLP_fuU0yZgovnLt8leBUArOiZdnV5ELwCMMsKFu6KgFGGFnrWOcS0wL2IBHLH nXas5sCnCkNMdUls6kXoNiqSmK5NJzhL659FRFJvTdHHCPJ7GJxvEACjnyJskTUN2jeX9xl2Bn BQMEgbamilGcaxsA=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/Pf1yFS0vByBzXzhHH67uYQQXUCTO_3Wx3KNtdTWnYDEcI0ThMCGt48qS6wFQUiKuOyheznj4rc7 FAnAV3Xl3AglxGakkiLdmZ43eyxsPLKG818D1pk xoS1fg O3kuoZ6WjZexe4gc0HDrlZrlIf_ek4avAmf6b7aUdcObHwNZEvfzaG14=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/H05VYdkIN6HVU66N3EzhSn q 2P3j0c_kAa1ayB9wVagYSaC7gYPkA8bxMVL7F1VlR22ZwxFRESoV9ilgzLbqW7JGRSHU_BJ6fBBynu__ki28BiYlu8iw9CJZPJispwYNQ3fvm0GNAvYUMZ0ndlK0JXZXzrVGdlecV0Gy47ATI4Ln1z0Damt9clxQ3gYhFB_jesQzWyc-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/jMPy9u2lmd8N9w5GTUkFha1KCGCDRMQ0zoWBlXzk7pcPlIrZimlYIe0klmfxf2KGbW0cf70f8fnXBZNyRlXa8JdVhxuAEu4ELOI11ruabeRu7W4lD5sswjaC5tq2fS6cCcTNtsxDD4pI6jM81CAc97VWsTtAvLgJMTX2hdjBVVxezl2IDvw=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/ONKetW4U 5lhc0p5a1Arwlf8Cforefv0a1aRxScDwJjspif5KJVN1RsvPOSVkncUDqOXsxhZnHqyubkEW8yFEw oF38qWx9Mx_Md7mmgnfFm7LSlC_sbGLs5QYxvQN5RScDmh2eGnADR3g7JVmX9CbTdXxcOoW3v_eOJp9WZddN5JEhtF k=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/OWS_N6drzEQLppL4su4aKWhtMRFvMiHK9GOeQN124u3gPu9BbdSYf97aPK8Q jo3Ppo0ru5tv0l2u0jsmRCWQCs_zDOLkyIZsXdma0cTVD7RXBAkVllFazX HL4uQoTamN4p90MoZ2Vi37JXKrHvOoVzrhUYuZB1a5bUCleE917CalpV7tGBdc6uvbAJ8lk86K0NMWwL-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/HW2UyLMvOgM37kAwJW7bNQxSvaDcXuqanttjZZQJLbGjqcgYoVoY2N5WjrrZRALEP5YW6zjTnysJT85UePr5FAhltgqVn1gu4XFKbQEd8Av9jCzz01yqdzkkCtLl134A_D8_z6v2NvS493PeraDnzeO4tEI0CDAn9MosmTsizIrdRPp7jX4=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/QIbXhRJ_V1mGPb_GwjR5qrEvlZ3XiLCcE9PqYShIObTEu7xp0OMG831DOjWjnJcQc8XtktSWq7vBFgNrttVu0hwbVJGiG3ORxOhiKY1uF UJq5tcG2gmfuLHvDqITKSwAaPMvIS5so4tbDOJFftA56IPOzSv0AnKwqU9JOI8PSMYraN28SBmX3S20LviWNGitzhUfqAA-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/U9TJjvl_R2MT9ig1lRVNUGokWh2uTCQyoJBslBFPrqxNC5nixSx3HgSPAfBM83pn5RHghyIaVMhJZgHnlN9zUq51wLbjlM2q3SF1B05iqgyE6Pc3lDXPwaoNQTWCwxucMB2msKzisd_TaP0yXB 2V20MLOO7X_pO4hLY_RZiO8CvxSYhNKE=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/hGTAgu52hoySe379CHZLepjjGal2D_DV1v0n8bVahfMcituw0uRMwIdyRMq1jD4AmqFOin1MIXFu7 0hNXThatQLdzJcd9l9CzHp9cemAdvFo1VgY Ag 8PqVDImT2sXdjF7cUflDSo0cUPaaMq aLNNTzMAB69hdwuLxrCVDPtPin0zUGQ=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/ZKRHkf_Y738XZCCDHaSc885seP G5anr_dsBjqIss5FIZG8uCClDPYecpMTa35PnaEFsGcITMdZokExgQIbw3IM2wIViu9vaRSQBZKIXjOAQHwUIhANZugRsIS2147d_zdYjY4fungHZp9STkJLn9XGaIPrNsKbk9DmYIn8o h5eVxuakDmFN2siL5kZG0fxLLPQyya2-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/saZThfKVdDVi3OulvAbw1ByEYphSJndrEIXv2shw6kINg2CCkaIG3PxJZqZYB8juMGtQD7fgyP3b7eplwih WGCOcnfu_oD9arA GE567nS5MZxBdNfuPkS7PK9Wzz6o00KABt7g76snIiT4bRFFr9WQn7oUubQpIhla2RiY0UZqaMTCbXk=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/zMfV4Qti0cDaVjN_yvuHoDNMzq3W1PY4ioGKArDL oo6E1xctzEIHqc0qXbUJT53skETnPiIdsL6cglerIuJJ4yama9PKBqz _akvneTOv6 FiT36TOQqxUZo83A3f98OYzaJdzwjWrtDzVBQkZze7dZudnI2hB6X5nDr2r5f5emg6SUEEyD5Ij6SlUi7IxRRKBE4mn-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/zT DTW_j0DPOKKHa5ZRExaMaEoCUEUhvsPe8RTp9UbwnC9ZwPuYC8jsDoVR8YClEW6BcMT9Tyjqm9_lLSeXsfYLkN7JdnkFizsWoKcVojpgYMsTIvD741bA1GPrydWwhTEZrLF7xed5miIlBv3qqo8YVIPNiQBmoWdilbhc7zuHEGjetqAs=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/yazV2N9W7Pp29I82VLMkI1dxi4BrU2TP6c4WOpfQvmczZVuvM27pBZ0reMoHdGYRPhrsyudAyshtogl5Zmmp2oXoQC0y uLKVtl1Y6eMwFIGrn2gpKbT4bEHFTMqIRmRHtgGYuNsY53wQLRumLxkUhBxn9u8dXuG0xUKo1WMJpAB3c0ol9h0g4X IKA_ 2N9QuPVR4L-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/lQGqjUolSqGZHEoO9V7ZCCZnI7ip17RcD_JpaUiAoQdy8TgrWHIUiSimDyunio5Dil3zGyJtb6N_F0Zlq26kX12emhMVY9sVy1I55odcyX1RP6_HUA0hjrcUjY4Qv0Bf0 0FwTduZa4IJf2LSCNWfwzKHAvbU4PLuPHMOIfnxVAcb98nRFtgwN1Q4pMMc_7np avkb47-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/ngsLYLwiYF83SsEyW2E_q7YH5iefoxoTlbwvgFeUsAfOAEedzM5ShePD9NCqDNMglZ534DqZtXEohL_nSkWxgYn7GGko2sBapEs7sOg0L_v7BiWL79_xWEk6rZ 6Y_ ywpXYH1cf4scnkxRkBwNAvTBVQY52DQDjqY5cB3D9U38D9nLTX60=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/K9VF0pfp6B5Pn4KOX_fz0vLokZiz 735KxpeyHLvJMbz61oRXj2WAfDfqbqnV8hyiPd1S_swsqcksHsbDPNGiI2QXRz1enb0tp8eGuqKDgjO2E_BlgBOYv3ebTlMQ8aY1COHbc ecHsEk5CNOqA VTvgJBkhC3ge2Vc5c0Et0VnRo_N Rnum71TuQ03ePtMwwONlWeM5-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/AxhSQSUOzUTi7 uDnZRAEeH8cfnk3wfoD68ABgB GRjGtyYxqOTZgwBNupa z5 WQi1DvAE3AgYaPkPN9xJ0HQ8s4uc4fr7kz2gF_5gu_eC VkyykiKhjJdGDoBi5dQX5FzAYZGnUZorVp6jmqQMKo3U95su3GhvHJROxIhKUhzFJ7P53CknOtSrbLjqz4E5cIaEOppv-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/HMNTnuOSGT_B12OW_M4bC9V9d_MlDyE7zRcFTSMujLn_RK2O_Rr_twVHUmH5m9XTDqNubadvpOcRFUfKe5w7e_jizo3HRvx_zO0jcFlHLgj_rm4WaqkgCpiqqiqHNGU47PfPLvZwRksoBkDUIqxymrR r5Cb5VLpUOsjqVNx4jVTnakbW1AWLiP z0g3oFWb1SD_9SSc-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/6UHQ4q33apJ5 emAvVsASpfI6JcXJddrAWeqhY1ZdbOzH0Oruvxs1lZuXcUxVYx62k08OJdZIDYnu78s5DJqyEJW TNNjBdH1VRxwjw5wTeoIHanC8faPJQ2edmIujiAIg5HNYzPQO4uKS sw7Cs01JbbF2_NE9_BgeyOoUbgLGYH3OO8DkakT 2ckDF5pyf9hyRxL5B-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/sDEcmnFP_oiC7sjPiqyWPk9KY5YEvgd4g2OJOdTMXuJhDHlyIMJcN7M Qs6B7rznAAuFTP0BnUk jYdEkgGTcauTJc31oJyckjeYF_lDTiCBYr_VAQ_XiYrKxdRrGusNheyutoLsjOlGupOn4Yx6W4MF8DHSSXeNglu0IF6SAAoEREFvNvwYngGLKFF4_CT1qO1Iix7W-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=

http://www.cycletagcurrent.com/OCn_q2eKTshWZHTm_2wBdhRcoO_PS6nsdWxeU6hpRIpdKIuhE33QDBO0RrRWr5hZQRG5w4OLH29epvzvjYcIzT3XhhcUuPneduFrA9xJ4Eieb79NKOgXoF4iGNyR1ztV927in_FVy5eLzbgM9wIaEsOilVHEmxYraiTKYWBm9ZrRIqTzPyY=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/FugnaFu4m4j2lW4_CTJ4PbokOnafM4VYRyWUO9_hUNn2KomXncCixuFJE_sFJZauAIT3CAdvpcu22r4zeZ6GC_CIaNjG5Y8y2aqUINW7EIQbeVsumTzAqeSuRSguo_QPJy6GdgdU3spjNBNN 36DvYwl2XYiGDymov8pvkxX0YQkbYF NlE=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

http://www.cycletagcurrent.com/XLGAtjbj9qz56iop9ImHbw2ROCRN4o3PnEg7kJj icCLCDYc1BhpoRvKDgOqqeFzw8PSwfdZnWxRfanSZ6WrFW_ld8lelV46FJU_HmGEYom9WyrdQjJRhNn2 QIrc7_H3CECVDo PzWM1gcc3R3V5CZR6pJpUhiiBuTXYcguBDCeLkJJ764=-GycAAAScYzmJqQvDes4PEzlwCijse2MceKLGlfsk_gEp zXMI7k=-e

Latest 30 of 2,324 download URLs

Remove fyd_setup.exe - Powered by Reason Core Security