home

setup.exe

bundlebeez ltd.

The application setup.exe by bundlebeez ltd has been detected as a potentially unwanted program by 10 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from d1.peackapp.com. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Installer  (signed by bundlebeez ltd.)

Product:
Installer

Version:
1.48.0.0

MD5:
bcef2c91c2ad4ef0425e982a2a45ec72

SHA-1:
01fac04a17af1feed86778fb1339b8055ec73be4

SHA-256:
da7837a4e111aeac91420123ca0ca722ec98b412271035dc524e9fe08078493c

Scanner detections:
10 / 68

Status:
Potentially unwanted

Analysis date:
2/25/2025 11:28:48 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/TrueDown.glo
8.3.1.6

avast!
Win32:Evo-gen [Susp]
2014.9-160216

AVG
Adware Generic6
2017.0.2832

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
Application.Win32.TrueDown.GIIG
22250

ESET NOD32
Win32/Adware.TrueDownloader.A application
10.7.0.302.0

IKARUS anti.virus
PUA.TrueDownloader
t3scan.1.9.2.0

K7 AntiVirus
Adware
13.204.16045

Reason Heuristics
PUP.bundlebeez.Installer (M)
16.2.16.1

VIPRE Antivirus
Threat.5065747
40552

File size:
407.6 KB (417,384 bytes)

Product version:
1.48.0.0

Copyright:
Copyright (C) 2014

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
bundlebeez ltd.

Authority:
COMODO CA Limited

Valid from:
12/8/2014 6:00:00 PM

Valid to:
12/9/2015 5:59:59 PM

Subject:
CN=bundlebeez ltd., OU=bundlebeez, O=bundlebeez ltd., STREET=1 habarzel st., L=tel aviv, S=israel, PostalCode=69710, C=IL

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00C76FF2C3632486922817A7EBE894CE9E

File PE Metadata
Compilation timestamp:
1/19/2015 6:09:01 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
12288:UnDD9OqE4tqfqqzdLfqHSOGrqRQbG88kxyzRyDdiUGvQ:aDD994zBfA/zR7hzdvQ

Entry address:
0x118D50

Entry point:
60, BE, 00, 70, 4C, 00, 8D, BE, 00, A0, F3, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.8929

Packer / compiler:
UPX 2.90LZMA

Code size:
328 KB (335,872 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://d1.peackapp.com/.../?p=ZXh0c3lzPTEmYWZmaWQ9Mjk2OTUxJmNpZD0xMDAmY3I9MTAwJmxvYz1lbiZzMT0wMDg0ODMwNzImYWZmaWxpYXRlcmVmZXJlbmNlaWQ9MDA4NDgzMDcyMDE4ODIzMzczMTIxJmNhbXBpZD0yODI0NTY=

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.