setup.exe

App secure LLC

This is the Softpulse installer which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application setup.exe by App secure has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Softpulse SoftwareBundler installer. The file has been seen being downloaded from ttb.ynkh4f87i.com.
Publisher:
App secure LLC  (signed and verified)

MD5:
941ab513405a1a261d70e39e28c69a06

SHA-1:
a89da821d48f58455ab07b0fbb8a46b061df210c

SHA-256:
4cc2e18f6c28b86142e584856b0223564bf168fef812d672db15d8924e61bf50

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/23/2024 12:20:01 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Softpulse (M)
17.3.5.0

File size:
575.1 KB (588,944 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Softpulse SoftwareBundler

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
12/18/2014 12:00:00 AM

Valid to:
12/18/2015 11:59:59 PM

Subject:
CN=App secure LLC, O=App secure LLC, L=Wilmington, S=Delaware, C=US

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
04066136EF6C787974CAE6D761647CA2

File PE Metadata
Compilation timestamp:
3/3/2015 9:59:28 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x1A8960

Entry point:
60, BE, 00, E0, 53, 00, 8D, BE, 00, 30, EC, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, AB, 69, 1A, 00, 57, 83, C3, 04, 53, 68, 5D, A9, 06, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Entropy:
7.9468  (probably packed)

Code size:
432 KB (442,368 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://ttb.ynkh4f87i.com/download/request/.../xb9onqTr?__tc=1421600841.936&lpsl=51de1e686bb8908473b4c2f8e28dca09&expire=1421687235&PubID=366104&slp=www.allprggreat.com&ClickID=u5ad3a4eb54b3f3b03f63bc7de9&fileName=Setup

Remove setup.exe - Powered by Reason Core Security