setup.exe

Setup Downloader

VerifiedInstallation

The application setup.exe by VerifiedInstallation has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from 7softwaredreams.com.
Publisher:
VerifiedInstallation  (signed and verified)

Product:
Setup Downloader

Version:
0.1.0.1

MD5:
360fb702d9f141f196cf3ba20f8b01d9

SHA-1:
1011bceaa3831fd6711ed0069e2f6c30fb0a51f0

SHA-256:
97cc3c4723fb4831c38842d8af9abd0b07a0ce83696695fe31428db557d1c5fd

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/26/2024 1:32:59 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.AdGazelle.Verified.Installer (M)
16.7.8.22

File size:
225.1 KB (230,488 bytes)

Product version:
0.1.0.1

Copyright:
Copyright (C) 2015

Original file name:
downloader.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\setup.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
3/3/2015 8:42:42 PM

Valid to:
3/3/2016 8:42:42 PM

Subject:
CN=VerifiedInstallation, O=VerifiedInstallation, L=Las Vegas, S=Nevada, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00AD549677C65B0FD8

File PE Metadata
Compilation timestamp:
4/20/2015 12:34:17 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:nFVg/Agj+ucqroG5MFvrJeIoZUK6LyskqTLlj6prwAg0FuzIxdhNnv:nFVCzjl2IIoh6LKqTJPAOOrv

Entry address:
0xFA00

Entry point:
E8, A4, 9B, 00, 00, E9, 89, FE, FF, FF, FF, 35, 24, 5A, 43, 00, FF, 15, 5C, 80, 42, 00, 85, C0, 74, 02, FF, D0, 6A, 19, E8, FB, 52, 00, 00, 6A, 01, 6A, 00, E8, 5F, 43, 00, 00, 83, C4, 0C, E9, 24, 43, 00, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1...
 
[+]

Code size:
152.5 KB (156,160 bytes)

The file setup.exe has been seen being distributed by the following URL.

Remove setup.exe - Powered by Reason Core Security