setup.exe

Налогоплательщик ЛАЙТ

LLC

The application setup.exe, “Налогоплательщик ЛАЙТ Setup” by LLC has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from nalogypro.ru.
Publisher:
ООО "Служба налогоплательщика"  (signed by LLC )

Product:
Налогоплательщик ЛАЙТ

Description:
Налогоплательщик ЛАЙТ Setup

Version:
2016.4.13.0

MD5:
6afb2fb7c5ae089f3b2b1cbcf19516aa

SHA-1:
1291188035081dee9b6f364cb662074bc7dd26f3

SHA-256:
3a97fb52ef5afd3d36a0a1f5369b0e1d560200506c389afb4c5fcb2768703ed6

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/23/2024 10:30:44 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Amonitize.Installer (M)
16.4.22.17

File size:
40.3 MB (42,268,792 bytes)

Product version:
2016.4.13.0

Copyright:
Copyright © 2016 ООО "Служба налогоплательщика"

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
6/29/2015 4:00:00 AM

Valid to:
6/29/2018 3:59:59 AM

Subject:
CN="LLC ""Taxpayer's service""", O="LLC ""Taxpayer's service""", STREET="ploshhad' M.Suharevskaja,6, str.1 Bol'shaja Pionerskaja,4", L=Moscow, S=Moscow, PostalCode=127051, C=RU

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00FE7B351079FD02F4C109D42C37F5C27A

File PE Metadata
Compilation timestamp:
1/31/2011 8:44:13 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
786432:GAe8bSUQMXSDT6CupNwFijhMPprE0VbdB7SoPk/veiaUoP0:JQnDTTupm4jhurFdBNM2iaTP0

Entry address:
0x1D20

Entry point:
55, 8B, EC, 6A, FF, 68, 28, 21, 40, 00, 68, A0, 1E, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 88, 20, 40, 00, 59, 83, 0D, 54, 35, 40, 00, FF, 83, 0D, 58, 35, 40, 00, FF, FF, 15, 84, 20, 40, 00, 8B, 0D, CC, 32, 40, 00, 89, 08, FF, 15, 80, 20, 40, 00, 8B, 0D, C8, 32, 40, 00, 89, 08, A1, 7C, 20, 40, 00, 8B, 00, A3, 5C, 35, 40, 00, E8, 10, 01, 00, 00, 39, 1D, BC, 32, 40, 00, 75, 0C, 68, 9C, 1E, 40, 00, FF, 15, 78, 20...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
4 KB (4,096 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://nalogypro.ru/data/lite/.../setup.exe

Remove setup.exe - Powered by Reason Core Security