» Setup.exe
Overview
Analysis
File Details

Setup.exe

Onekit Internet

The file Setup.exe by Onekit Internet has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the OneKit Downloader installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. This downloadble file is typically blocked through Google's Safe Browsing technology in Chrome web browser.

File name:

Setup.exe

Publisher:

Onekit Internet (signed and verified)

MD5:

7d994b47861f669a93d14b7bf5a65db1

SHA-1:

045495422c991cd61c0276f72adc9e03278f5d92

SHA-256:

ace81ac917a0d90e8b7eaa9c80aa37a66230ae859a0d6e8f00db428a99eec87a

Scanner detections:

7 / 68

Status:

Adware

Explanation:

Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

12/28/2024 2:11:15 AM UTC (today)

Scan engine

Detection

Engine version

AVG

Onenet

2016.0.3112

Dr.Web

Trojan.Vittalia.34

9.0.1.0131

ESET NOD32

Win32/TrojanDropper.Addrop.C trojan

9.7.0.302.0

herdProtect (fuzzy)

variant of installer_adobe_flash_player_japanese.exe (Adware)

2015.8.8.21

Malwarebytes

PUP.Optional.InstallCore.SID.A

v2015.05.11.07

Reason Heuristics

PUP.Installer.OnekitInternet

15.6.7.12

VIPRE Antivirus

Threat.4783369

39676

File size:

810.6 KB (830,024 bytes)

Bundler/Installer:

OneKit Downloader (using Nullsoft Install System)

Common path:

C:\users\{user}\downloads\setup.exe

Digital Signature

Signed by:

Onekit Internet

Authority:

thawte, Inc.

Valid from:

3/4/2015 5:00:00 PM

Valid to:

3/4/2016 4:59:59 PM

Subject:

CN=Onekit Internet, O=Onekit Internet, L=Cerdanyola del valles, S=Barcelona, C=ES

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

40744793F55F4350CB4D2F030795E67F

File PE Metadata

Compilation timestamp:

12/5/2009 3:52:12 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:nVHzG6GBzCmEFYNJRKlpMagQEmdBvxhlaV5dfvN4zY6ercQEgYe+vgCi:n5z0BmmQkMpMaDdBvbUf0ircbLgR

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9873

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

Remove Setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.