» setup.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

setup.exe

MultiDesk

The executable setup.exe, “Remote Desktop Connection” has been detected as malware by 24 anti-virus scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘setup.exe -start’. While running, it connects to the Internet address Hosted.By.Evoluso.com on port 80 using the HTTP protocol.

File name:

setup.exe

Publisher:

MultiDesk

Product:

MultiDesk

Description:

Remote Desktop Connection

Version:

3.0.0.0

MD5:

e172014d3acf98ae09e674bdbdca4107

SHA-1:

4115d12cc562994c9fadb860f531470943e8eef5

SHA-256:

9e8ed4fa0a7944f30919ced6c2e845490c11a5eea9b09f8fa5b90e081c4b14e0

Scanner detections:

24 / 68

Status:

Malware

Analysis date:

11/24/2024 2:07:27 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.2685791

493

AhnLab V3 Security

Trojan/Win32.Downloader

2015.09.24

Arcabit

Trojan.Generic.D28FB5F

1.0.0.567

avast!

Win32:Dropper-gen [Drp]

2014.9-150929

Bitdefender

Trojan.GenericKD.2685791

1.0.20.1360

Dr.Web

Trojan.Baidu.443

9.0.1.0272

Emsisoft Anti-Malware

Trojan.GenericKD.2685791

8.15.09.29.10

ESET NOD32

Win32/RiskWare.Chindo

9.12296

F-Secure

Trojan.GenericKD.2685791

11.2015-29-09_3

G Data

Trojan.GenericKD.2685791

15.9.25

McAfee

GenericR-ELX!E172014D3ACF

5600.6627

Microsoft Security Essentials

Threat.Undefined

1.205.2604.0

MicroWorld eScan

Trojan.GenericKD.2685791

16.0.0.816

NANO AntiVirus

Trojan.Win32.Baidu.dwbmki

0.30.26.3725

nProtect

Trojan.GenericKD.2685791

15.09.23.01

Panda Antivirus

Trj/Downloader.WOG

15.09.29.10

Qihoo 360 Security

HEUR/QVM07.1.Malware.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

15.10.8.9

Sophos

Generic PUA EB (PUA)

4.98

Total Defense

Heur/TrojanHorse.ZCJZ!suspicious

37.1.62.1

Trend Micro

TROJ_GEN.R070C0OHU15

10.465.29

VIPRE Antivirus

Trojan.Win32.Generic

43992

ViRobot

Trojan.Win32.Agent.122880.DE[h]

2014.3.20.0

Zillya! Antivirus

Tool.Chindo.Win32.131

2.0.0.2411

File size:

120 KB (122,880 bytes)

Product version:

3.0.0.0

File type:

Executable application (Win32 EXE)

Language:

Chinese

Common path:

C:\users\{user}\appdata\local\temp\setup.exe

File PE Metadata

Compilation timestamp:

8/19/2015 2:45:59 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

3072:RUWVPvSG+DrGPFhFCf7Z6BO3j5g+7OqqtGUpk:RUQSwA7Z643jZ4k

Entry address:

0xB5B0

Entry point:

55, 8B, EC, 6A, FF, 68, 50, 42, 41, 00, 68, 4C, D0, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, 20, 41, 41, 00, 33, D2, 8A, D4, 89, 15, 88, 62, 42, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 84, 62, 42, 00, C1, E1, 08, 03, CA, 89, 0D, 80, 62, 42, 00, C1, E8, 10, A3, 7C, 62, 42, 00, 6A, 01, E8, D7, 19, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, C3, 00, 00, 00, 59, E8, 82, 17, 00, 00, 85, C0, 75, 08, 6A, 10, E8, B2, 00, 00, 00, 59, 33, F6, 89, 75... 
[+]

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

76 KB (77,824 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

setup.exe -start

Command:

C:\users\{user}\appdata\local\temp\setup.exe -start

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to Hosted.By.Evoluso.com (94.242.228.117:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.