setup.exe

neomedia

The application setup.exe by neomedia has been detected as a potentially unwanted program by 10 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. This is a trojan Bot that uses IRC to communicate with a comand and control network. The Trojan drops other malicious software and opens a backdoor on the infected computer and will run automatically on each boot.
Publisher:
neomedia  (signed and verified)

MD5:
022392e5a18655eb36d27f34a0bf3366

SHA-1:
5853d671be7fdb81d29cdf7c8ef67e4879adf972

SHA-256:
413d437af5e6401d2585907578e5f69b14f34172e1f0a734aebeb85d76038669

Scanner detections:
10 / 68

Status:
Potentially unwanted

Explanation:
Part of a backdoor IRC bot network.

Analysis date:
11/15/2024 11:57:22 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/KeywordFind.B
8.3.3.4

AVG
Generic
2017.0.2583

Baidu Antivirus
Win32.Trojan.WisdomEyes.16070401.9500
4.0.3.161022

Bkav FE
W32.HfsAdware
1.3.0.8455

ESET NOD32
Win32/AdWare.KeywordFind (variant)
10.14276

F-Prot
W32/Themida_Packed
v6.4.7.1.166

K7 AntiVirus
Adware
13.243.21185

Qihoo 360 Security
HEUR/QVM19.1.0000.Malware.Gen
1.0.0.1120

Rising Antivirus
Malware.Heuristic!ET (rdm+)
23.00.65.161020

VIPRE Antivirus
Backdoor.Win32.Ircbot.gen
53018

File size:
1 MB (1,049,824 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\setup.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/25/2016 9:00:00 AM

Valid to:
1/25/2017 8:59:59 AM

Subject:
CN=neomedia, OU=IT Team, O=neomedia, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
343766F67EC25EF07DB4A9C47879EAF6

File PE Metadata
Compilation timestamp:
10/11/2016 8:29:10 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:Ktuv1am/ddzGsb/KmeYUIRllpwpGZu6rg8o1cNXQ9rGzYgkMJQYg:zvP/7iM/KmeYUIDIGZu6rg8kqmMO

Entry address:
0x22C000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, 60, 0B, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 34, 37, 80, 3A, 68, 2E, 9B, 78, 53, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.8424  (probably packed)

Code size:
479.5 KB (491,008 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Remove setup.exe - Powered by Reason Core Security