Setup.exe

OSU

Traffic Space, LLC

The file Setup.exe, “Open Software Updater” by Traffic Space has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This downloadble file is typically blocked through Google's Safe Browsing technology in Chrome web browser. The file has been seen being downloaded from staysafedownloads.com and multiple other hosts. While running, it connects to the Internet address custip-2080.sedoparking.com on port 80 using the HTTP protocol.
Publisher:
InstallerTech Corp  (signed by Traffic Space, LLC)

Product:
OSU

Description:
Open Software Updater

Version:
3.0.0.0

MD5:
826e0ae678147877a9aacdeb01e37b4d

SHA-1:
52a575407bbf2a10559f8481d2ab9003cbc466a9

SHA-256:
829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73

Scanner detections:
5 / 68

Status:
Adware

Analysis date:
12/25/2024 5:05:39 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Downware.12954, Adware.Downware.9973
9.0.1.05190

ESET NOD32
Win32/OpenDownloadManager.A potentially unwanted application
6.3.12010.0

Malwarebytes
PUP.Optional.Bundle
v2015.03.01.07

Reason Heuristics
PUP (M)
17.2.8.10

VIPRE Antivirus
Threat.4786240
29708

File size:
188.4 KB (192,936 bytes)

Copyright:
(c) InstallerTech Corp. 2015

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
2/10/2015 7:00:00 PM

Valid to:
3/18/2015 7:59:59 PM

Subject:
CN="Traffic Space, LLC", O="Traffic Space, LLC", L=Woodcliff Lake, S=New Jersey, C=US

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
1C74C364E85C31C63BF0EFB6F416FD6A

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:nLk395hYXJ44k2jtkaCBgmsnRg9FYa+yHCH5M02vQMRU9e162W80dccEVGjBmPSB:nQq+2jXYP+Ys52r6O6AQgz6d/

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.6163

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file Setup.exe has been seen being distributed by the following 22 URLs.

https://staysafedownloads.com/startdlnow.php

http://installopensoftware.com/download.php

http://installopensoftware.com/startdle.php

https://appcloudprotected.com/campaign/.../rdr.php

https://appcloudprotected.com/download.php

https://downloadopensoftware.com/download.php

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to lb-212-222.above.com  (103.224.212.222:80)

TCP (HTTP):
Connects to custip-2080.sedoparking.com  (91.195.241.80:80)

Remove Setup.exe - Powered by Reason Core Security