setup.exe

Installer

Stepitapp LLC

The application setup.exe by Stepitapp has been detected as adware by 14 anti-malware scanners. The file has been seen being downloaded from nym1.b.adnxs.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Stepitapp LLC  (signed and verified)

Product:
Installer

Version:
1.0.0.0

MD5:
5908633cb54823f19669cfef5374b673

SHA-1:
28ed168b5e97ce33ea002f7a9c12ac8e584d252f

SHA-256:
48d210b7896fd724d66bde18d42c56a4570b8a4b7e77e657e100467b02af437f

Scanner detections:
14 / 68

Status:
Adware

Explanation:
Part of the Conduit/ClientConnect toolbar/extension distribution.

Analysis date:
12/24/2024 5:10:21 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
2014.9-141002

Dr.Web
Adware.Downware.5822
9.0.1.0275

Fortinet FortiGate
Riskware/Agent
10/2/2014

G Data
Win32.Trojan.Agent.4P134N
14.10.24

IKARUS anti.virus
Trojan.Win32.Agent
t3scan.1.6.1.0

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.3162

McAfee
Artemis!17FD46A07B73
5600.6989

Panda Antivirus
Trj/Chgt.I
14.10.02.01

Qihoo 360 Security
Win32/Virus.Downloader.8e5
1.0.0.1015

Quick Heal
Downloader.Agent.r3 (Not a Virus)
10.14.14.00

Reason Heuristics
PUP.Installer.Stepitapp.F
14.10.2.13

Trend Micro House Call
TROJ_GEN.F47V0516
7.2.275

Vba32 AntiVirus
Downloader.Agent
3.12.26.3

VIPRE Antivirus
Conduit
33586

File size:
407.1 KB (416,824 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2013

Original file name:
FinalInstaller.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
12/11/2013 12:00:00 AM

Valid to:
12/11/2014 11:59:59 PM

Subject:
CN=Stepitapp LLC, O=Stepitapp LLC, POBox=1252, STREET=9 W. 31st Street, L=Bayonne, S=New Jersey, PostalCode=07002, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EA7DEF51F4F715C2C81433CCD6B15766

File PE Metadata
Compilation timestamp:
9/29/2014 9:16:18 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:77eZZCRibqI59PpOPf201/z7pUmJI9ftRVlxmS79z:neZ4RibqI59Pk2cb7pUmJ0ftRVl00x

Entry address:
0x638AE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.1389

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
390.5 KB (399,872 bytes)

The file setup.exe has been seen being distributed by the following 21 URLs.

http://nym1.b.adnxs.com/click?XJzWbJ-ozj-amZmZmZnJPxkEVg4tsuU_tR8sayBXyz84ktsCGF_QP094o68z-ghOCSHhOGQFwDOnBzdUAAAAAG-GNgDIAQAAdgIAAAIAAAB-hyoBYyAHAAAAAQBVU0QAVVNEANgCWgDehwAADs8AAgUAAQIAAJYAViN3dQAAAAA./cnd=!-gbTQwjz9MICEP6OqgkY48AcIAA./referrer=http://portal.mypearson.com/clickenc=http://.../st?cipid=168040&ttype=1&crid=2710428&dast=YnJzcj0zODQxJmJvPTEmY2lwaWQ9MTY4MDQwJmNpc2lkPTQ0QjZDMkU1NjkyODIyNzg0NjY5MjY2MCZjaXJpZD00NEI2QzJFNTY5MjgyMjgxNTMxNDc3MTQxJnNsaWQ9MCZzdWJpZD0xMDQ3JmNpdWlkPTIyODcyNjY2NjczNTcxNTAzMzQmc289MSZjcmlkPTI3MTA0MjgmZXhjaWQ9MjImbW10PS0xJm9zaWQ9NTMzJmNudHJ5PTIyNyZjaWNtcD0yNzgxMjgmY3U0PTAmcHViaWQ9OTcwMA==&cmcv=${CMCV}&tgtf=http://www.mydownloadhome.com/download/201?pub_id=90&sub_id=nym1CInChMfDrIHgMxACGM_wjf26xr6ETiIMNjQuMTg0Ljk3LjEwKAEwp4_coQU.&tag=3573359

https://secure-nym.adnxs.com/click?PdpH5justD_z9KTvA0OxP5zEILByaLE_8_Sk7wNDsT882kfmO6y0Py_E8WvIIOQ5st9lqIJkAV05tipUAAAAAGImLgDIAQAAdgIAAAIAAABx_SkBc5kFAAAAAQBVU0QAVVNEANgCWgClXQAA66cAAgUAAQIAAJIAGCosuwAAAAA./cnd=!AQecQgjQ9JMCEPH6pwkY87IWIAE./referrer=secure.imp-serving.com/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=nym1CLK_l8OqkNmAXRACGK-Ix9-GmYjyOSINOTguMjguMTQwLjIxNSgBMLnsqqEF&tag=3024482

http://lax1.ib.adnxs.com/click?YB3A_ycaxT_3SZvMq1rAPwAAAAAAAPA_90mbzKtawD9gHcD_JxrFP3ZcHod4YCFAlM2-mTziYg0IWzVUAAAAAPtCNgByBwAAdgIAAAIAAAB-hyoBEq8HAAAAAQBVU0QAVVNEANgCWgDZDAAAdukAAgUAAQIAAJYAuCMiXwAAAAA./cnd=!QgZLOwjCzJMCEP6OqgkYkt4eIAE./referrer=http://ib.adnxs.com/tt?id=3556091&referrer=${REFERER_URL}&sf7Spt2B=459_18x18_0/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=lax1CJSb-83Jx7ixDRACGPa4-biIj9iQQCINMjA3LjYyLjEwMi43OSgBMIi21aEF&tag=3556091

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):

Remove setup.exe - Powered by Reason Core Security