» setup.exe
Overview
Analysis
File Details
Network (10)

setup.exe

Tianjing Cheng

The executable setup.exe has been detected as malware by 1 anti-virus scanner. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. While running, it connects to the Internet address server-54-230-216-220.mrs50.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

setup.exe

Publisher:

Tianjing Cheng (signed and verified)

MD5:

661c616edf27b31c44f773b3386d15ad

SHA-1:

242db9adc3216bdc41f5cc91096cf71d80298293

SHA-256:

8836051da5938502b44a419acfc372b8d422e99220f9d31757fa93db9e6d7e9f

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

11/15/2024 8:56:25 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Threat.Win.Reputation (M)

17.2.5.16

File size:

420.2 KB (430,304 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe

Digital Signature

Signed by:

Tianjing Cheng

Authority:

thawte, Inc.

Valid from:

1/22/2017 5:30:00 AM

Valid to:

7/13/2017 5:29:59 AM

Subject:

CN=Tianjing Cheng, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

6A613CE6DAE33EE23E3053055DFF85DD

File PE Metadata

Compilation timestamp:

1/19/2017 7:47:47 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

Entry address:

0x6363

Entry point:

E8, 63, 1F, 00, 00, E9, 94, 7A, 00, 00, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 74, 13, 8B, 55, 0C, 85, D2, 74, 0C, 8B, 4D, 10, 85, C9, 75, 19, 33, C0, 66, 89, 06, E8, D2, BB, FF, FF, 6A, 16, 5E, 89, 30, E8, 52, 43, 00, 00, 8B, C6, 5E, 5D, C3, 57, 8B, FE, 2B, F9, 0F, B7, 01, 66, 89, 04, 0F, 8D, 49, 02, 66, 85, C0, 74, 03, 4A, 75, EE, 33, C0, 5F, 85, D2, 75, DF, 66, 89, 06, E8, 9D, BB, FF, FF, 6A, 22, EB, C9, E8, F8, 20, 00, 00, 85, C0, 74, 08, 6A, 16, E8, 87, 13, 00, 00, 59, F6, 05, A0, 7E, 46, 00, 02, 74, 21... 
[+]

Entropy:

7.8106 (probably packed)

Code size:

377.5 KB (386,560 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-54-230-216-223.mrs50.r.cloudfront.net (54.230.216.223:80)

TCP (HTTP):

Connects to server-52-85-77-26.lax3.r.cloudfront.net (52.85.77.26:80)

TCP (HTTP):

Connects to server-52-84-246-4.sfo20.r.cloudfront.net (52.84.246.4:80)

TCP (HTTP):

Connects to server-54-230-216-48.mrs50.r.cloudfront.net (54.230.216.48:80)

TCP (HTTP):

Connects to server-54-230-216-220.mrs50.r.cloudfront.net (54.230.216.220:80)

TCP (HTTP):

Connects to server-52-85-77-231.lax3.r.cloudfront.net (52.85.77.231:80)

TCP (HTTP):

Connects to server-52-85-77-199.lax3.r.cloudfront.net (52.85.77.199:80)

TCP (HTTP):

Connects to server-52-84-246-250.sfo20.r.cloudfront.net (52.84.246.250:80)

TCP (HTTP):

Connects to server-52-84-246-216.sfo20.r.cloudfront.net (52.84.246.216:80)

TCP (HTTP):

Connects to server-52-84-230-193.sfo9.r.cloudfront.net (52.84.230.193:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.