setup.exe

SAFE INSTALL SOFTWARE

The application setup.exe by SAFE INSTALL SOFTWARE has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. While running, it connects to the Internet address hwcdn.net on port 80 using the HTTP protocol.
Publisher:
SAFE INSTALL SOFTWARE  (signed and verified)

MD5:
1fc64ff69d8ab37d0599547dedfc598b

SHA-1:
aa0d38b6c7894fa8caea9c806e86a3b34a260b6a

SHA-256:
b37eead5e6b249bab9eef1b44dddf8e4ed61be39b4ec5cfe013e857b047d5665

Scanner detections:
4 / 68

Status:
Adware

Analysis date:
12/28/2024 12:51:58 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.DownloadAdmin
2015.06.03

AVG
Generic
2016.0.3090

Reason Heuristics
Threat.Win.Reputation.IMP
15.6.2.14

VIPRE Antivirus
Threat.4783369
40552

File size:
653.6 KB (669,328 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\setup.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
5/19/2015 2:00:00 AM

Valid to:
5/19/2016 1:59:59 AM

Subject:
CN=SAFE INSTALL SOFTWARE, O=SAFE INSTALL SOFTWARE, L=SAN FRANCISCO, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5591FE91109E0E8E18F34E77C30B1AB9

File PE Metadata
Compilation timestamp:
5/11/2015 8:14:16 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:P9cazLCHa4Aq9C5pdDHG850PBkHh6wrZkbY9380QpkY6sj8eCaRV4gSQTOBA:Vcaz+Hafq9CFDH3OmB6QZkM3cCS8KinA

Entry address:
0x1BB4

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, E0, 73, 40, 00, 33, F6, C6, 44, 24, 14, 20, E8, DC, 51, 00, 00, 53, E8, 50, FD, FF, FF, 59, FF, 15, 50, 77, 40, 00, 68, 01, 80, 00, 00, FF, 15, 70, 70, 40, 00, 53, FF, 15, 4C, 77, 40, 00, 6A, 08, A3, 98, 2C, 42, 00, E8, B9, 09, 00, 00, 53, 68, 60, 01, 00, 00, A3, 00, 3D, 42, 00, 8D, 44, 24, 38, 50, 53, 68, 73, 74, 40, 00, FF, 15, 9C, 71, 40, 00, 68, 68, 74, 40, 00, 68, 00, 35, 42, 00, E8, AB, 08, 00, 00, FF, 15, 6C, 70, 40, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
24 KB (24,576 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to st-sh-us-dc3-001.s.dss.vg  (208.91.197.27:80)

TCP (HTTP):
Connects to server-54-230-55-199.jfk6.r.cloudfront.net  (54.230.55.199:80)

TCP (HTTP):
Connects to server-54-230-53-81.jfk6.r.cloudfront.net  (54.230.53.81:80)

TCP (HTTP):
Connects to server-54-230-52-98.jfk6.r.cloudfront.net  (54.230.52.98:80)

TCP (HTTP):
Connects to server-54-230-52-245.jfk6.r.cloudfront.net  (54.230.52.245:80)

TCP (HTTP):
Connects to server-54-230-52-163.jfk6.r.cloudfront.net  (54.230.52.163:80)

TCP (HTTP):
Connects to server-54-192-54-180.jfk6.r.cloudfront.net  (54.192.54.180:80)

TCP (HTTP SSL):
Connects to s3-1.amazonaws.com  (54.231.9.224:443)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to ec2-54-208-23-129.compute-1.amazonaws.com  (54.208.23.129:80)

TCP (HTTP):
Connects to a23-67-244-145.deploy.static.akamaitechnologies.com  (23.67.244.145:80)

TCP (HTTP):

TCP (HTTP):
Connects to a1plpkivs-v03.any.prod.ash1.secureserver.net  (72.167.239.239:80)

TCP (HTTP):
Connects to a173-223-204-176.deploy.static.akamaitechnologies.com  (173.223.204.176:80)

TCP (HTTP):
Connects to a173-223-204-131.deploy.static.akamaitechnologies.com  (173.223.204.131:80)

TCP (HTTP):
Connects to 50.22.63.140-static.reverse.softlayer.com  (50.22.63.140:80)

Remove setup.exe - Powered by Reason Core Security