setup.exe

Monarch Downloads

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application setup.exe by Monarch Downloads has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. The file has been seen being downloaded from secure.oinstaller7.com.
Publisher:
Monarch Downloads  (signed and verified)

MD5:
a837e54f8951ddaaa8748417480466eb

SHA-1:
3a32418012e7fda12e3444a583ff4aa7a3ede893

SHA-256:
52bd40d6f92d6d0a7ff7804fed4a4bbe4ce17b38b1c4588d996bae50c34af976

Scanner detections:
8 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/27/2024 4:34:49 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/iBryte.bxpa
8.3.1.6

AVG
Generic
2016.0.3090

Clam AntiVirus
Win.Trojan.Agent-763594
0.98/20540

Dr.Web
Trojan.iBryte.548
9.0.1.05190

ESET NOD32
NSIS/TrojanDownloader.Adload.AD trojan
7.0.302.0

K7 AntiVirus
Unwanted-Program
13.204.16111

Reason Heuristics
PUP.Adknowledge.Bundler
15.6.2.10

VIPRE Antivirus
Threat.4778314
40552

File size:
152.5 KB (156,160 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
3/24/2014 12:00:00 AM

Valid to:
3/24/2015 11:59:59 PM

Subject:
CN=Monarch Downloads, O=Monarch Downloads, STREET="4600 Madison Ave, 10th FL", L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
6ED4FE307D4F8068EFCDF769A3803C67

File PE Metadata
Compilation timestamp:
5/11/2014 9:04:44 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:y0YBsBE3ain2Q5xq10DZYzIug4sw0PlX0wVQMwBMkqq/uzEfkNU:3nBTi2CRDZYzIuJT4QMwaj2kG

Entry address:
0x322E

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 14, C7, 44, 24, 10, D8, A2, 40, 00, 89, 6C, 24, 1C, FF, 15, 34, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, 34, 81, 40, 00, 55, FF, 15, AC, 82, 40, 00, 6A, 08, A3, 58, AF, 47, 00, E8, 9F, 2E, 00, 00, A3, A4, AE, 47, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, B8, 01, 44, 00, FF, 15, 7C, 81, 40, 00, 68, C0, A2, 40, 00, 68, A0, 2E, 47, 00, E8, 0A, 2B, 00, 00, FF, 15, 38, 81, 40, 00, BB, 00, B0, 4C, 00, 50, 53, E8, F8, 2A, 00, 00...
 
[+]

Entropy:
4.6632

Packer / compiler:
Nullsoft install system v2.x

Code size:
24.5 KB (25,088 bytes)

The file setup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-52-238.jfk6.r.cloudfront.net  (54.230.52.238:80)

TCP (HTTP):
Connects to server-54-192-54-172.jfk6.r.cloudfront.net  (54.192.54.172:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.16.148:80)

TCP (HTTP):
Connects to ec2-54-204-36-250.compute-1.amazonaws.com  (54.204.36.250:80)

TCP (HTTP):
Connects to ec2-23-21-59-31.compute-1.amazonaws.com  (23.21.59.31:80)

Remove setup.exe - Powered by Reason Core Security