setup.exe

Installer

Stepitapp LLC

The application setup.exe by Stepitapp has been detected as adware by 28 anti-malware scanners. The file has been seen being downloaded from lax1.ib.adnxs.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Stepitapp LLC  (signed and verified)

Product:
Installer

Version:
1.0.0.0

MD5:
41fe2b6ba1c86554aa42dfa3ada1da0c

SHA-1:
b1a1c01d8b9083a70d8e8993a7522c4d9791b565

SHA-256:
54f4e6e3b5396bd8de17caebcd3b30f6d93dc8ae5e3aa0d002f436f26d9faaf0

Scanner detections:
28 / 68

Status:
Adware

Explanation:
Part of the Conduit/ClientConnect toolbar/extension distribution.

Analysis date:
12/25/2024 5:33:56 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
2014.9-140913

Baidu Antivirus
Hacktool.Win32.Downloader
4.0.3.14913

Dr.Web
Adware.Downware.5822
9.0.1.0256

Fortinet FortiGate
Riskware/Agent
9/13/2014

G Data
Win32.Trojan.Agent.4P134N
14.9.24

herdProtect (fuzzy)
2014.11.9.11

IKARUS anti.virus
Trojan.Win32.Agent
t3scan.1.6.1.0

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.3258

McAfee
Artemis!17FD46A07B73
5600.7009

Panda Antivirus
Trj/Chgt.F
14.09.13.10

Qihoo 360 Security
Win32/Virus.Downloader.8e5
1.0.0.1015

Quick Heal
Downloader.Agent.r3 (Not a Virus)
9.14.14.00

Reason Heuristics
PUP.Installer.Stepitapp.F
14.9.13.10

Trend Micro House Call
TROJ_GEN.F47V0516
7.2.256

Vba32 AntiVirus
Downloader.Agent
3.12.26.0

VIPRE Antivirus
Conduit
33046

File size:
404.6 KB (414,264 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2013

Original file name:
FinalInstaller.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\{random}\setup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
12/10/2013 6:00:00 PM

Valid to:
12/11/2014 5:59:59 PM

Subject:
CN=Stepitapp LLC, O=Stepitapp LLC, POBox=1252, STREET=9 W. 31st Street, L=Bayonne, S=New Jersey, PostalCode=07002, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EA7DEF51F4F715C2C81433CCD6B15766

File PE Metadata
Compilation timestamp:
9/10/2014 2:43:35 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:bP8mDLCDibqI59PpOPf201/z7pUmJI9ftRVlYmr7n:gmDODibqI59Pk2cb7pUmJ0ftRVljfn

Entry address:
0x62EAE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.1441

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
388 KB (397,312 bytes)

The file setup.exe has been seen being distributed by the following 28 URLs.

http://lax1.ib.adnxs.com/click?ev11bdElsD9EkHDnefeqP7gehetRuK4_RJBw53n3qj96_XVt0SWwP0-hMccvW5seJpSDviteIXQVZx9UAAAAAGImLgDIAQAAdgIAAAIAAADxzysBc5kFAAAAAQBVU0QAVVNEACwB-gClXQAArd0AAgUAAQIAAJIAEii6DgAAAAA./cnd=!rgapPwjQ9JMCEPGfrwkY87IWIAE./referrer=lax1.ib.adnxs.com/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=lax1CKaojvS7xdeQdBACGM_Cxrn85dbNHiINNjkuNzYuMjIxLjIzMSgBMJXO_aAF&tag=3024482

http://lax1.ib.adnxs.com/click?z9lf-m6X1z9UeaVBUu_TP6JFtvP91Ow_VHmlQVLv0z_P2V_6bpfXP_51naLS2PQ5AuOMGIYuJQoX0BRUAAAAAFxmNAA_AQAAdgIAAAIAAACCqB0BHvEGAAAAAQBVU0QAVVNEACwB-gBz9AAAlN0AAgUAAQIAAJQAmCupdgAAAAA./cnd=!hAZxPQjtqq4CEILR9ggYnuIbIAA./referrer=www.driversupport.com/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=lax1CILGs8Th0MuSChACGP7r9ZSqmrb6OSIONjguMjI4LjE2Ny4xNDcoATCXoNOgBQ..&tag=3434076

https://secure-nym.adnxs.com/click?gCgOIVnyvz_9-GpGOMK4PwAAAAAAAPA__fhqRjjCuD-BKA4hWfK_P8Pz9PieVkosw-3Y3JiqdX8_MhNUAAAAANN4NAByBwAAdgIAAAIAAABN7vUAqIUHAAAAAQBVU0QAVVNEANgCWgCOrwAAwasAAgUAAQIAAJQARSjccAAAAAA./cnd=!TQabPAjCzJMCEM3c1wcYqIseIAE./referrer=www.youtube.com/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=nym1CMPb4-aN0-q6fxACGMPn08fv05WlLCINMTg0LjMuMTM4LjE0NigBML_kzKAF&tag=3438803

http://lax1.ib.adnxs.com/click?2yCDiiHmxz8JVdGvo_TDP-xRuB6F67E_CVXRr6P0wz_bIIOKIebHP5mxxr2P8W99w6CBxfx5bi7rHxpUAAAAAGImLgDIAQAAdgIAAAIAAABx_SkBc5kFAAAAAQBVU0QAVVNEANgCWgClXQAACrsAAgUAAQIAAJIACSuyKQAAAAA./cnd=!AQecQgjQ9JMCEPH6pwkY87IWIAE./referrer=soft81.net/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=lax1CMPBhqzMv563LhACGJnjmu77sfy3fSIONzAuMTk1LjE5NS4yMzUoATDrv-igBQ..&tag=3024482

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove setup.exe - Powered by Reason Core Security