setup.exe

Setup Module

Babylon Ltd.

This is part of the Babylon web browser toolbar and extension that will modify the browser's default search provider, DNS, and home page functions. The application setup.exe, “Setup Application” has been detected as adware by 40 anti-malware scanners. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address ba-sh-us-dc3-005.babylon.com on port 80 using the HTTP protocol.
Publisher:
Babylon Ltd.

Product:
Setup Module

Description:
Setup Application

Version:
9.1.2.10

MD5:
45d935f6e9882532a7990e719c7629c8

SHA-1:
3bacaf51ea4d7573c9d6db40bd1c982bf2765fd8

SHA-256:
fdbca0fb904d75130eab79b68f33bf98d8715c79bed0e5d7ff8a7f4fe6949db7

Scanner detections:
40 / 68

Status:
Adware

Explanation:
The file is infected by a polymorphic file infector virus.

Analysis date:
12/25/2024 1:12:47 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Runouce.B@mm
904

Agnitum Outpost
I-Worm.Chir.B
7.1.1

AhnLab V3 Security
Win32/ChiHack.6652
14.08.15

Avira AntiVirus
W32/Chir.B
7.11.144.160

avast!
Win32:Oncer
2014.9-140815

AVG
Win32/Chir.B@mm
2015.0.3382

Baidu Antivirus
Virus.Win32.Runouce.$a
4.0.3.14815

Bitdefender
Win32.Runouce.B@mm
1.0.20.1135

Bkav FE
W32.ChirBPE
1.3.0.4959

Boost by Reason
Optional.Babylon.F
188163

Clam AntiVirus
WIN.Worm.Brontok
0.98/18355

Comodo Security
Application.Win32.Babylon.aa
17740

Dr.Web
Trojan.StartPage.56734
9.0.1.0329

Emsisoft Anti-Malware
Win32.Runouce.B@mm
8.14.08.15.01

ESET NOD32
Win32/Toolbar.Babylon (variant)
7.9389

Fortinet FortiGate
W32/Chir.B@mm
8/15/2014

F-Prot
W32/Thecid.B@mm
v6.4.7.1.166

F-Secure
Win32.Runouce.B@mm
11.2014-15-08_6

G Data
Win32.Runouce.B@mm
14.8.24

IKARUS anti.virus
Email-Worm.Win32.Runouce
t3scan.1.6.1.0

K7 AntiVirus
EmailWorm
13.176.11833

Kaspersky
Email-Worm.Win32.Runouce
14.0.0.3405

Malwarebytes
v2013.11.25.01

McAfee
W32/Chir.b@MM
5600.7038

Microsoft Security Essentials
Virus:Win32/Chir.B@mm
1.10502

MicroWorld eScan
Win32.Runouce.B@mm
15.0.0.681

NANO AntiVirus
Trojan.Win32.StartPage.cssmvq
0.28.0.57630

Norman
Malware
11.20140815

nProtect
Win32.Runouce.B@mm
14.04.21.01

Panda Antivirus
W32/Chir.B
14.08.15.01

Qihoo 360 Security
Virus.Win32.CNHacker.C
1.0.0.1015

Quick Heal
W32.Runouce.B
8.14.12.00

Reason Heuristics
PUP.Installer.Babylon.F
14.2.26.9

Rising Antivirus
PE:Worm.ChineseHacker-2!23772
23.00.65.14813

Sophos
W32/Chir-A
4.98

Total Defense
Win32/Chir.B
37.0.10890

Trend Micro
PE_Chir.B
10.465.15

Vba32 AntiVirus
Virus.Win32.Chur.A
3.12.26.0

VIPRE Antivirus
Win32.chir.b
28462

ViRobot
Win32.Chir.B
2011.4.7.4223

File size:
1.2 MB (1,294,848 bytes)

Product version:
9.1.2.10

Copyright:
Copyright © Babylon Ltd. 1997-2013

Original file name:
Setup32.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\latest\setup.exe

File PE Metadata
Compilation timestamp:
7/21/2013 8:03:30 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:2323kqauxJqtQ6DPit67YRy/iCnnTzZUyUHvFYpD5DkYHA:23Fq/ItxD+Ry/iCnqxHvFYppkYHA

Entry address:
0x75C29

Entry point:
E8, 95, DF, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 98, 7C, 4C, 00, E8, C1, F4, FF, FF, E8, A4, 22, 00, 00, 0F, B7, F0, 6A, 02, E8, 28, DF, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, A4, 7D, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
5.6998

Code size:
613 KB (627,712 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to DedLoadLM2200.babylon.com  (184.154.27.232:80)

TCP (HTTP):
Connects to ba-sh-us-dc3-005.babylon.com  (198.143.175.67:80)

TCP (HTTP):
Connects to singhop0012.babylon.com  (173.236.48.139:80)

Remove setup.exe - Powered by Reason Core Security