rcpsetup_17970HD_v2.exe

The application rcpsetup_17970HD_v2.exe has been detected as a potentially unwanted program by 14 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from secure.fastcdngoeast.com and multiple other hosts.
MD5:
91102b0503898852bd6f1f4f867272cd

SHA-1:
69ee3222b6ef791d8d89cc449cc1ebec1619bbca

SHA-256:
f319f17dbae8bc9e1cc18340e8c7e3f956d953ef3df17722eed23eb2b9b21561

Scanner detections:
14 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/27/2024 3:20:32 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.11504041
932

Baidu Antivirus
Adware.Win32.InstallCore
4.0.3.14717

Bitdefender
Trojan.Generic.11504041
1.0.20.990

Clam AntiVirus
Win.Adware.Agent-7643
0.98/21411

Emsisoft Anti-Malware
Trojan.Generic.11504041
8.14.07.17.10

F-Secure
Trojan.Generic.11504041
11.2014-17-07_5

G Data
Trojan.Generic.11504041
14.7.24

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.3545

McAfee
RDN/FakeAV-Y.bfr!e
5600.7066

MicroWorld eScan
Trojan.Generic.11504041
15.0.0.594

Norman
Downloader
11.20140717

Panda Antivirus
Trj/CI.A
14.07.17.10

Trend Micro House Call
TROJ_GEN.R047H06GF14
7.2.198

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.3

File size:
44.5 KB (45,587 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\rcpsetup_17970hd_v2.exe

File PE Metadata
Compilation timestamp:
12/6/2009 12:52:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
768:x0gFJMBrbxJQJFiXDYwQ5NTdKqP5sCOfZ7jrG0D3cjfS3XJUmTq6KFMABrlZdPgH:xfYBrbzmFizYwUK1G0DRXJB49rjd1V/A

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file rcpsetup_17970HD_v2.exe has been seen being distributed by the following 3 URLs.

Remove rcpsetup_17970HD_v2.exe - Powered by Reason Core Security