setup.exe

Goobzo LTD

The application setup.exe by Goobzo has been detected as adware by 28 anti-malware scanners. The file has been seen being downloaded from d3dle8xo1zpfnz.cloudfront.net and multiple other hosts.
Publisher:
Goobzo LTD  (signed and verified)

Version:
1.3.4.0

MD5:
10d2d1aa06814c3f45375601ad0de708

SHA-1:
b5915978ee54f2d9e6e7c546c4f5f7526bcdb0fc

SHA-256:
7c6b4fdf8c695417f8fc0e7f1a095b79014d2cdcd19f9a5854e814e9e8154e22

Scanner detections:
28 / 68

Status:
Adware

Analysis date:
12/25/2024 12:00:02 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Strictor.62444
855

AVG
Skodna
2015.0.3412

Baidu Antivirus
Adware.Win32.SpeedBit
4.0.3.14715

Bitdefender
Gen:Variant.Strictor.62444
1.0.20.1380

Emsisoft Anti-Malware
Gen:Variant.Strictor.62444
8.14.10.03.11

ESET NOD32
Win32/SpeedBit (variant)
8.10096

Fortinet FortiGate
Riskware/SpeedBit
10/3/2014

F-Secure
Gen:Variant.Strictor.62444
11.2014-03-10_6

G Data
Gen:Variant.Strictor.62444
14.10.24

IKARUS anti.virus
PUA.OptionalInst.Goobzo
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.183.13305

McAfee
Artemis!10D2D1AA0681
5600.7068

MicroWorld eScan
Gen:Variant.Strictor.62444
15.0.0.828

Panda Antivirus
Adware/Goobzo
14.10.03.11

Qihoo 360 Security
HEUR/Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.Goobzo.F
14.8.8.2

Sophos
Generic PUA LF
4.98

Trend Micro House Call
Suspicious_GEN.F47V0714
7.2.196

Trend Micro
TROJ_SPNV.03GO14
10.465.03

VIPRE Antivirus
Goobzo
31288

File size:
1.1 MB (1,129,872 bytes)

Product version:
1.3.4.0

Copyright:
Copyright (C) 2014

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\installer\install_4274\setup.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
5/2/2013 5:30:00 AM

Valid to:
5/3/2015 5:29:59 AM

Subject:
CN=Goobzo LTD, O=Goobzo LTD, L=Haifa, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
120B25DDE57B88636AD4D97D23B99C88

File PE Metadata
Compilation timestamp:
7/10/2014 7:13:33 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:x3XN+Y0KKTZKwr7O8vxETNqujk/PWrFjlsvB4HCZHlAs:dMNRrzpETNqujk/O1laB4HCZHlAs

Entry address:
0x4DF4D

Entry point:
E8, F0, D5, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, E4, 76, 4C, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, F0, 44, 4C, 00, 01, 0F, 82, 26, D7, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA...
 
[+]

Entropy:
6.6228

Code size:
575.5 KB (589,312 bytes)

The file setup.exe has been seen being distributed by the following 4 URLs.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-84-2-155.compute-1.amazonaws.com  (54.84.2.155:80)

TCP (HTTP):
Connects to ec2-54-208-92-111.compute-1.amazonaws.com  (54.208.92.111:80)

TCP (HTTP):
Connects to ec2-54-164-56-11.compute-1.amazonaws.com  (54.164.56.11:80)

TCP (HTTP):
Connects to ec2-107-20-238-80.compute-1.amazonaws.com  (107.20.238.80:80)

TCP (HTTP):
Connects to server-54-239-168-181.fra50.r.cloudfront.net  (54.239.168.181:80)

TCP (HTTP):
Connects to server-54-239-158-235.cdg51.r.cloudfront.net  (54.239.158.235:80)

TCP (HTTP):
Connects to server-54-230-92-73.fra2.r.cloudfront.net  (54.230.92.73:80)

TCP (HTTP):
Connects to server-54-230-60-70.mad50.r.cloudfront.net  (54.230.60.70:80)

TCP (HTTP):
Connects to server-54-230-60-214.mad50.r.cloudfront.net  (54.230.60.214:80)

TCP (HTTP):
Connects to server-54-230-201-166.fra50.r.cloudfront.net  (54.230.201.166:80)

TCP (HTTP):
Connects to server-54-230-185-110.cdg51.r.cloudfront.net  (54.230.185.110:80)

TCP (HTTP):
Connects to server-54-230-174-50.bom2.r.cloudfront.net  (54.230.174.50:80)

Remove setup.exe - Powered by Reason Core Security