setup.exe

Installer

Stepitapp LLC

The application setup.exe by Stepitapp has been detected as adware by 10 anti-malware scanners. The file has been seen being downloaded from nym1.ib.adnxs.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Stepitapp LLC  (signed and verified)

Product:
Installer

Version:
1.0.0.0

MD5:
cd11a8fc01ed9e63e7501fcb20d721e6

SHA-1:
3fbcef63fd5becebfb4768d48bdc099404961a13

SHA-256:
f24ac77e0746a96173a5a2a5030091b0a72952855557c8cfe190a3f07d576383

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Part of the Conduit/ClientConnect toolbar/extension distribution.

Analysis date:
12/26/2024 8:08:01 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
2014.9-140710

Fortinet FortiGate
Riskware/Agent
7/2/2014

Kaspersky
not-a-virus:Downloader.Win32.Agent
15.0.0.494

McAfee
Artemis!8A2ED863690C
5600.7081

Panda Antivirus
Trj/Chgt.A
14.07.02.05

Qihoo 360 Security
HEUR/Malware.QVM03.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.Stepitapp.F
14.7.17.10

Trend Micro House Call
Suspicious_GEN.F47V0620
7.2.183

Vba32 AntiVirus
Downloader.Agent
3.12.26.3

VIPRE Antivirus
Conduit
30702

File size:
395.9 KB (405,424 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2013

Original file name:
FinalInstaller.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
12/10/2013 4:00:00 PM

Valid to:
12/11/2014 3:59:59 PM

Subject:
CN=Stepitapp LLC, O=Stepitapp LLC, POBox=1252, STREET=9 W. 31st Street, L=Bayonne, S=New Jersey, PostalCode=07002, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EA7DEF51F4F715C2C81433CCD6B15766

File PE Metadata
Compilation timestamp:
6/29/2014 12:21:23 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:FlGvtlC6ibqI59PpOPf201/z7ppmJI9ftR1O7X:FlGC6ibqI59Pk2cb7ppmJ0ftRaX

Entry address:
0x6117E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.1874

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
380.5 KB (389,632 bytes)

The file setup.exe has been seen being distributed by the following 36 URLs.

http://nym1.ib.adnxs.com/click?MzMzMzMz4z-rHFpkO9_fP2ZmZmZmZgJAqxxaZDvf3z8zMzMzMzPjP77veqkDGCMHX6mRhIVRk3WDtrhTAAAAAA3pKQCTBwAAdgIAAAIAAABX7vUA4n0GAAAAAQBVU0QAVVNEACwB-gDztAAAH7AAAgUAAQIAAJAA_yMj3QAAAAA./cnd=!KAeGQgj01IYCENfc1wcY4vsZIAA./referrer=http://www.a10.com/racing-games/traffic-slam-2-3/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=nym1CN_SxqTYsNTJdRACGL7f68u6gMaRByIMMTIuMTkuMjMyLjEwKAEwg-3inQU.&tag=2746637

http://nym1.ib.adnxs.com/click?6oWckrGmBECN1VOq9CMBQDMzMzMzMwNAjdVTqvQjAUDqhZySsaYEQOAc_muTSM1ExL4jerl6mhZipLVTAAAAAA3pKQCTBwAAdgIAAAIAAABDpvoA4n0GAAAAAQBVU0QAVVNEACwB-gDztAAAbtUAAgUAAQIAAJAAtCdkVQAAAAA./cnd=!xAZCPQj1hYECEMPM6gcY4vsZIAA./referrer=http://www9.buyerpricer.com/landing.aspx?slk=tango free video calls download/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=nym1CMT9jtGX157NFhACGOC5-N-2ktLmRCIOMjA4LjEwMS4xOTcuOTQoATDiyNadBQ..&tag=2746637

http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=nym1CMTvwafj2P-nIhACGJnnkuPBmLaxGyIMNzAuMTI3LjM3LjEyKAEwsvPmnQU.&tag=2239505

http://lax1.ib.adnxs.com/click?ZEGqlJFsAEDdJAaBlUP7P90kBoGVQ_s_CacD0gCCAUAkfAf9ABgFQAuCyDr__MAGGHT7skSVRlGgw7ZTAAAAAHkcLwCTBwAAdgIAAAIAAABX7vUA4n0GAAAAAQBVU0QAVVNEACwB-gC9LQAAM8EAAgUAAQIAAJIA9COBHgAAAAA./cnd=!qQZlOwjFhIYCENfc1wcY4vsZIAA./referrer=http://cdn.sharedaddomain.com/slider_anchored5_300x250_203.htm?cat=107,113,240&clientId=61a43668-c9da-4f0e-a069-f14649c6e6ea&l=http://community.ancestry.com/messages/view.aspx?id=47974268&fId=0&rid=&r=http://community.ancestry.com/messages//clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=lax1CJjo7ZfLqKWjURACGIuEotbzn7_gBiINNjkuMzUuMjE2LjE4NSgBMKCH250F&tag=3087481

http://nym1.ib.adnxs.com/click?Qku67mPi_z8QWDm0yHb6PxBYObTIdvo_0k1iEFg5C0BmZmZmZmYQQOm3fqzmMCpFLC3uZ8M32VVFGrZTAAAAAHkcLwCTBwAAdgIAAAIAAABX7vUA4n0GAAAAAQBVU0QAVVNEACwB-gC9LQAADrAAAgUAAQIAAJIAuiWjHgAAAAA./cnd=!qQZlOwjFhIYCENfc1wcY4vsZIAA./referrer=http://cdn.sharedaddomain.com/slider_anchored5_300x250_203.htm?cat=21,101,107&clientId=cb4fadbe-f681-4f6c-8003-096321bc6c25&l=http://www.championselect.net/champions/talon&r=https://www.google.com//clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=nym1CKzauL-2-M3sVRACGOnv-uPqnIyVRSIOMTczLjE2LjEwNC4xMzAoATDFtNidBQ..&tag=3087481

http://lax1.ib.adnxs.com/click?AAAAAAAA8D-QwvUoXI_qP8HKoUW28wRAkML1KFyP6j8AAAAAAADwP-V86U_G614D3rM2dde0bwW0qLNTAAAAAA3pKQCTBwAAdgIAAAIAAABX7vUA4n0GAAAAAQBVU0QAVVNEACwB-gDztAAA4qwAAgUAAQIAAJAArCd0-wAAAAA./cnd=!wwa9PAiysIcCENfc1wcY4vsZIAA./referrer=http://www.babycenter.com/404_can-you-get-pregnant-right-after-your-period_7094.bc/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=lax1CN7n2qn3mu23BRACGOX5pf_k-LqvAyIOMTA4LjIzLjEyNS4yMjAoATC00c6dBQ..&tag=2746637

Latest 30 of 36 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove setup.exe - Powered by Reason Core Security