Setup.exe

Free mp3 Wma Converter

Koyote-Lab Inc.

The file Setup.exe, “Free mp3 Wma Converter Install” by Koyote-Lab has been detected as a potentially unwanted program by 16 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This downloadble file is typically blocked through Google's Safe Browsing technology in Chrome web browser. The file has been seen being downloaded from www.packagequickheart.com and multiple other hosts.
Publisher:
Koyote-Lab Inc  (signed by Koyote-Lab Inc.)

Product:
Free mp3 Wma Converter

Description:
Free mp3 Wma Converter Install

Version:
1.0.0.135585

MD5:
05bc76723a9eb26a4e424bf5cd481e1f

SHA-1:
3fc72826f35521854ec2094c8d53224e79bae34a

SHA-256:
df9da51cd911c7e50af4a3068b107130aff7c9194ec27e81871049970bca241d

Scanner detections:
16 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 4:29:04 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Bandoo
7.1.1

AhnLab V3 Security
Win-PUP/SearchSuite
2015.04.09

Avira AntiVirus
PUA/SeaSuite.Gen
3.6.1.96

AVG
SearchSuite
2016.0.3144

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Bandoo.228
9.0.1.099

ESET NOD32
Win32/Toolbar.SearchSuite potentially unwanted
9.11448

G Data
Win32.Application.KoyoteLab
15.4.25

K7 AntiVirus
Adware
13.202.15538

Malwarebytes
PUP.Optional.Koyote.A
v2015.04.09.05

McAfee
Artemis!05BC76723A9E
5600.6800

NANO AntiVirus
Riskware.Win32.Bandoo.dgnlaz
0.30.10.952

Reason Heuristics
PUP.Installer.KoyoteLab
15.4.9.13

Rising Antivirus
PE:AdWare.Win32.BearShare.b!1075356890
23.00.65.15407

Sophos
Generic PUA DP
4.98

Trend Micro House Call
Suspicious_GEN.F47V0326
7.2.99

File size:
1.3 MB (1,333,248 bytes)

Product version:
1.0.0.135585

Copyright:
Copyright (c) 2015

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
2/12/2014 12:00:00 AM

Valid to:
2/21/2016 11:59:59 PM

Subject:
CN=Koyote-Lab Inc., OU=DEV, O=Koyote-Lab Inc., L=Panama City, S=Panama, C=PA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
05787E08EB7454E434F666A81F251A2D

File PE Metadata
Compilation timestamp:
2/24/2012 7:20:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:2xyk0K+TC8KTF9OiYq2JI0EpHYE01Bp6lDLnFZhHqfHW9uWcbwhA:Jk/KCRTvOiQi0EWh3qfnFraHW9Kw2

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.9870

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file Setup.exe has been seen being distributed by the following 8 URLs.

http://www.packagequickheart.com/ILNAiBG5eAuzy96Fcd4Y9xRb33 KF Zuja ZC2UJDfPf3lMUc7xxRzGuCRp4T8Wy0wySZUvlC6ut5L6m vSiy1WaESzi2eVppxRsg5BANTLnhFRgYIrk3I2W_Ajd2V6e4qAccAFMdZuqXtnuN5MJITV9k_DE7uzzDnhnbBl7syj72jiQKJ6GpsKMfCmcdzWSeMD5fwpli6MdqCNcIuYTZ5DUrO00dQ==-G1wAAGRgnq2tQUhStQ_YgAOXEll0HkyGyeHzRWLmG2NvaFjXrZ6DYoUwvuCy4 BnKcAZfpsTar6NfN1in9iLhh9nwOTP90_5pBNO7gdoRJRgEJZkMIIB

http://download.koyotesoft.com/FreeMp3WmaConverterSetup.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-54-235-137-222.compute-1.amazonaws.com  (54.235.137.222:80)

Remove Setup.exe - Powered by Reason Core Security