setup.exe

Selection Tools

NOSIBAY

The application setup.exe, “Selection Tools Installer” by NOSIBAY has been detected as a potentially unwanted program by 14 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from gb-cdn.windapp.net and multiple other hosts.
Publisher:
NOSIBAY  (signed and verified)

Product:
Selection Tools

Description:
Selection Tools Installer

Version:
3.0.730.0.62852

MD5:
1c83172c3a39c3339b1daab25582d242

SHA-1:
7e42ae65fafb28f9c9ce94d48a4fad25776b4ad9

SHA-256:
eff8c81378c872f4dd369f7ab0884136fc26357aa8cb5d755ada2aeace6c24fc

Scanner detections:
14 / 68

Status:
Potentially unwanted

Analysis date:
12/29/2024 6:48:27 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.3116

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Downware.10519
9.0.1.0127

IKARUS anti.virus
PUA.BubbleDock
t3scan.1.8.9.0

K7 AntiVirus
Riskware
13.203.15815

McAfee
Artemis!1C83172C3A39
5600.6772

Panda Antivirus
PUP/Nosibay
15.05.07.06

Reason Heuristics
PUP.Installer.NOSIBAY
15.5.7.14

Rising Antivirus
PE:Trojan.Win32.Generic.18763188!410399112
23.00.65.15505

Sophos
Bubble Dock
4.98

Trend Micro House Call
PUA_BubbleDock
7.2.127

Trend Micro
PUA_BubbleDock
10.465.07

Vba32 AntiVirus
suspected of Trojan.Downloader.gen
3.12.26.3

VIPRE Antivirus
BubbleDock
39980

File size:
3.5 MB (3,658,888 bytes)

Copyright:
© WTools

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
9/25/2014 2:00:00 AM

Valid to:
12/26/2015 12:59:59 AM

Subject:
CN=NOSIBAY, OU=Secure Application Development, O=NOSIBAY, L=PEROLS, S=Hérault, C=FR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
52E368957AD1C7202A103C7CFD7BD6C2

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:F837aEFyCp6wZpmWDIZQ9ki2VsOm4lY920OM/LqNWG4DFQj3ewQ9Lc6F:q3WEFr/wQ9kXVsOm42rOM/SWlFMePF

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file setup.exe has been seen being distributed by the following 5 URLs.

Remove setup.exe - Powered by Reason Core Security