home

setup.exe

Monarch Downloads

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application setup.exe by Monarch Downloads has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. The file has been seen being downloaded from secure.oinstaller7.com.
Publisher:
Monarch Downloads  (signed and verified)

MD5:
a837e54f8951ddaaa8748417480466eb

SHA-1:
3a32418012e7fda12e3444a583ff4aa7a3ede893

SHA-256:
52bd40d6f92d6d0a7ff7804fed4a4bbe4ce17b38b1c4588d996bae50c34af976

Scanner detections:
8 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/14/2024 9:15:24 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/iBryte.bxpa
8.3.1.6

AVG
Generic
2016.0.3090

Clam AntiVirus
Win.Trojan.Agent-763594
0.98/20540

Dr.Web
Trojan.iBryte.548
9.0.1.05190

ESET NOD32
NSIS/TrojanDownloader.Adload.AD trojan
7.0.302.0

K7 AntiVirus
Unwanted-Program
13.204.16111

Reason Heuristics
PUP.Adknowledge.Bundler
15.6.2.10

VIPRE Antivirus
Threat.4778314
40552

File size:
152.5 KB (156,160 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
Monarch Downloads

Authority:
COMODO CA Limited

Valid from:
3/24/2014 12:00:00 AM

Valid to:
3/24/2015 11:59:59 PM

Subject:
CN=Monarch Downloads, O=Monarch Downloads, STREET="4600 Madison Ave, 10th FL", L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
6ED4FE307D4F8068EFCDF769A3803C67

File PE Metadata
Compilation timestamp:
5/11/2014 9:04:44 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:y0YBsBE3ain2Q5xq10DZYzIug4sw0PlX0wVQMwBMkqq/uzEfkNU:3nBTi2CRDZYzIuJT4QMwaj2kG

Entry address:
0x322E

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 14, C7, 44, 24, 10, D8, A2, 40, 00, 89, 6C, 24, 1C, FF, 15, 34, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, 34, 81, 40, 00, 55, FF, 15, AC, 82, 40, 00, 6A, 08, A3, 58, AF, 47, 00, E8, 9F, 2E, 00, 00, A3, A4, AE, 47, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, B8, 01, 44, 00, FF, 15, 7C, 81, 40, 00, 68, C0, A2, 40, 00, 68, A0, 2E, 47, 00, E8, 0A, 2B, 00, 00, FF, 15, 38, 81, 40, 00, BB, 00, B0, 4C, 00, 50, 53, E8, F8, 2A, 00, 00...
 
[+]

Entropy:
4.6632

Packer / compiler:
Nullsoft install system v2.x

Code size:
24.5 KB (25,088 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://secure.oinstaller7.com/.../Setup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-52-238.jfk6.r.cloudfront.net  (54.230.52.238:80)

TCP (HTTP):
Connects to server-54-192-54-172.jfk6.r.cloudfront.net  (54.192.54.172:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.16.148:80)

TCP (HTTP):
Connects to ec2-54-204-36-250.compute-1.amazonaws.com  (54.204.36.250:80)

TCP (HTTP):
Connects to ec2-23-21-59-31.compute-1.amazonaws.com  (23.21.59.31:80)

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.