» setup.exe
Overview
Analysis
File Details
Behaviors (1)

setup.exe

Install

Shan Feng

The application setup.exe by Shan Feng has been detected as a potentially unwanted program by 3 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘50LSSsFwuUJ0jUwO’.

File name:

setup.exe

Publisher:

Develop Ltd. (signed by Shan Feng)

Product:

Install

Version:

4,2,4,7

MD5:

a4f200615c1075e96795b568ebc33c1c

SHA-1:

576578812afc454a2c0d38c2463d21c7d2b9e556

SHA-256:

65ba298cb1f0c5f466914a565ace01a20ce0e019218cf3122629b580c50a7118

Scanner detections:

3 / 68

Status:

Potentially unwanted

Analysis date:

11/16/2024 3:51:52 AM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Trojan.Encoder.3833

9.0.1.05190

Kaspersky

Trojan-Ransom.Win32.Crypmod

15.0.0.562

Reason Heuristics

PUP.Elex.ShanFeng.Installer (M)

16.7.8.1

File size:

350.3 KB (358,680 bytes)

Product version:

2,7,3,1

Trademarks:

Original file name:

setup.exe

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe

Digital Signature

Signed by:

Shan Feng

Authority:

thawte, Inc.

Valid from:

2/4/2016 3:00:00 AM

Valid to:

2/4/2017 2:59:59 AM

Subject:

CN=Shan Feng, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

35000007A9C98043CA459BAC1DA3B29C

File PE Metadata

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

6144:RcANLTczPHqr86XIljudLYLd5FgPKFqR54Apnz52XdZHb0cUxhtVCur7:pEbHqr8X5aLUjgPUy4YoX792hLCur7

Entry address:

0x13B3

Entry point:

55, 89, E5, 83, EC, 08, C7, 05, F8, 7A, 45, 00, 01, 00, 00, 00, E8, 84, 74, 04, 00, C9, E9, 66, FD, FF, FF, 55, 89, E5, 83, EC, 08, C7, 05, F8, 7A, 45, 00, 00, 00, 00, 00, E8, 69, 74, 04, 00, C9, E9, 4B, FD, FF, FF, 90, 90, 90, 66, 90, 66, 90, 55, 89, E5, 83, EC, 18, A1, A8, D9, 44, 00, 85, C0, 74, 3C, C7, 04, 24, 00, E0, 44, 00, FF, 15, 00, 83, 45, 00, 83, EC, 04, 85, C0, BA, 00, 00, 00, 00, 74, 16, C7, 44, 24, 04, 0E, E0, 44, 00, 89, 04, 24, FF, 15, 04, 83, 45, 00, 83, EC, 08, 89, C2, 85, D2, 74, 09, C7... 
[+]

Entropy:

7.8637 (probably packed)

Code size:

293 KB (300,032 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

50LSSsFwuUJ0jUwO

Command:

"C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe" \skipreg

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.