setup.exe

Java Runtime

Download Assistant

This is part of the Air Installer, a download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application setup.exe, “Java Runtime ” by Download Assistant has been detected as adware by 16 anti-malware scanners. The program is a setup application that uses the AirInstaller Download Manager installer. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address useast.gtdlrfwd.com on port 80 using the HTTP protocol.
Publisher:
Download Assistant   (signed by Download Assistant)

Product:
Java Runtime

Description:
Java Runtime

Version:
3.0.0.53

MD5:
66cbe142fd80fc3e3b26e789d8fca5c5

SHA-1:
91d330e79d8bfa03bd0a1f799a7e11e2f3863d91

SHA-256:
cc8e88b6956a94ff6f1671211bc28ef85f69b70e100b7d9888c2494f603917bb

Scanner detections:
16 / 68

Status:
Adware

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/24/2024 12:25:25 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.FX
809

Agnitum Outpost
Riskware.Agent
7.1.1

avast!
Win32:Adware-gen [Adw]
2014.9-141118

AVG
Generic
2015.0.3287

Bitdefender
Application.Bundler.FX
1.0.20.1610

Dr.Web
Trojan.Vittalia.3
9.0.1.0322

ESET NOD32
Win32/DownloadAssistant (variant)
8.10581

F-Secure
Application.Bundler.FX
11.2014-18-11_3

G Data
Application.Bundler.FX
14.11.24

IKARUS anti.virus
PUA.DownloadAssistant
t3scan.1.8.3.0

K7 AntiVirus
Unwanted-Program
13.185.13930

Malwarebytes
PUP.Optional.DownloadAssistant
v2014.11.18.02

NANO AntiVirus
Riskware.Win32.Conduit.dhhkky
0.28.6.62995

Reason Heuristics
PUP.Installer.DownloadAssistant.F
14.11.18.2

Total Defense
Win32/Tnega.MFfaER
37.0.11256

VIPRE Antivirus
Threat.4782985
33706

File size:
833.3 KB (853,344 bytes)

Product version:
3.0.0.53

Copyright:
(c) Download Assistant

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
AirInstaller Download Manager

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\pqg2prcq\setup.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
8/12/2014 8:00:00 PM

Valid to:
8/12/2016 7:59:59 PM

Subject:
CN=Download Assistant, O=Download Assistant, L=Victoria, S=British Columbia, C=CA

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6BC405E8AC962C676F54816BCC4D4311

File PE Metadata
Compilation timestamp:
11/17/2014 5:00:59 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:Mt1IVE7xT7mso4jg8ShGoa43MipEtD9afh:m1uS+4jgXc43MEM0J

Entry address:
0x4C712

Entry point:
E8, 4E, 1A, 01, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 80, 00, 00, 00, 72, 0E, 83, 3D, 40, 3E, 4A, 00, 00, 74, 05, E9, B4, 1A, 01, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7, 01, 83, EA, 01, 75, F6, 8B, 44, 24...
 
[+]

Entropy:
7.0728

Code size:
466.5 KB (477,696 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to useast.gtdlrfwd.com  (104.131.2.201:80)

TCP (HTTP):
Connects to shaynesherman.com  (69.65.38.112:80)

TCP (HTTP):
Connects to server-54-230-39-45.jfk1.r.cloudfront.net  (54.230.39.45:80)

TCP (HTTP):
Connects to server-54-230-39-200.jfk1.r.cloudfront.net  (54.230.39.200:80)

TCP (HTTP):
Connects to server-54-230-38-243.jfk1.r.cloudfront.net  (54.230.38.243:80)

TCP (HTTP):
Connects to server-54-230-38-130.jfk1.r.cloudfront.net  (54.230.38.130:80)

TCP (HTTP):
Connects to dallas-2.cdn77.com  (37.235.107.13:80)

Remove setup.exe - Powered by Reason Core Security