home

setup.exe

Springsteen Labs (Bright Circle Investments Ltd)

The application setup.exe by Springsteen Labs (Bright Circle Investments) has been detected as adware by 9 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from cdn.webdataserv.com and multiple other hosts.
Publisher:
Springsteen Labs (Bright Circle Investments Ltd)  (signed and verified)

MD5:
28e13f10627a573bbd70d83c7a26b793

SHA-1:
308f330af9cf7136e52fabf62cae0eeaccd51569

Scanner detections:
9 / 68

Status:
Adware

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
11/23/2024 7:45:34 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
Adware/CrossRider.114144
7.11.202.118

AVG
Win32/DH
2016.0.3225

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.15119

ESET NOD32
Win32/Toolbar.CrossRider.BU (variant)
9.11034

Fortinet FortiGate
Riskware/CrossRider
1/19/2015

McAfee
Artemis!28E13F10627A
5600.6881

Trend Micro House Call
Suspicious_GEN.F47V0115
7.2.19

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.3

VIPRE Antivirus
Crossrider
36766

File size:
111.5 KB (114,144 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\setup.exe

Digital Signature
Signed by:
Springsteen Labs (Bright Circle Investments Ltd)

Authority:
COMODO CA Limited

Valid from:
12/16/2014 1:00:00 AM

Valid to:
12/17/2015 12:59:59 AM

Subject:
CN=Springsteen Labs (Bright Circle Investments Ltd), O=Springsteen Labs (Bright Circle Investments Ltd), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
4AF9B5B4B73295C548A696A82077626D

File PE Metadata
Compilation timestamp:
12/15/2014 5:14:03 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
1536:TBan+2qMX+twC0qSnCbz/5Hu4utXiL6+0Ec4PpHsWjcdIjDFzmf:TI+x++KVkVTSz+0coIjDFz

Entry address:
0x75F3

Entry point:
E8, C1, 4E, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 74, C1, 31, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, B8, BC, 31, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 74, C1, 31, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00, F7, C6, 03...
 
[+]

Code size:
70 KB (71,680 bytes)

The file setup.exe has been seen being distributed by the following 2 URLs.

http://cdn.webdataserv.com/.../setup.exe

http://cdn.download4desktop.com/Installer/.../crossbrowser20150115.exe

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.