setup.exe

Installer

Stepitapp LLC

The application setup.exe by Stepitapp has been detected as adware by 7 anti-malware scanners. The file has been seen being downloaded from nym1.ib.adnxs.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Stepitapp LLC  (signed and verified)

Product:
Installer

Version:
1.0.0.0

MD5:
681a294031c429d5aff5a66aff121c1c

SHA-1:
c490e65681f9548c42ac862105b3145c2e0e57b7

SHA-256:
aaee97d9e15a1d487687b02929c106aba2f0acc09aaece52c7632a00237cf8c3

Scanner detections:
7 / 68

Status:
Adware

Explanation:
Part of the Conduit/ClientConnect toolbar/extension distribution.

Analysis date:
12/26/2024 4:55:01 AM UTC  (today)

Scan engine
Detection
Engine version

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.3363

Malwarebytes
PUP.Optional.Conduit
v2014.08.23.09

McAfee
Artemis!681A294031C4
5600.7030

Panda Antivirus
Trj/Chgt.C
14.08.23.09

Reason Heuristics
PUP.Installer.Stepitapp.I
14.8.23.9

Trend Micro House Call
Suspicious_GEN.F47V0802
7.2.235

VIPRE Antivirus
Conduit
32070

File size:
400.4 KB (410,032 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2013

Original file name:
FinalInstaller.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
12/10/2013 4:00:00 PM

Valid to:
12/11/2014 3:59:59 PM

Subject:
CN=Stepitapp LLC, O=Stepitapp LLC, POBox=1252, STREET=9 W. 31st Street, L=Bayonne, S=New Jersey, PostalCode=07002, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EA7DEF51F4F715C2C81433CCD6B15766

File PE Metadata
Compilation timestamp:
8/1/2014 11:48:30 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:U47AtFCVibqI59PpOPf201/z7pHmJI9ftR4lG2Z7A:NAtMVibqI59Pk2cb7pHmJ0ftR4ltFA

Entry address:
0x6227E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.1842

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
385 KB (394,240 bytes)

The file setup.exe has been seen being distributed by the following 25 URLs.

http://nym1.ib.adnxs.com/click?yOA6CeH69T8CeIpCTz7yP4XrUbgehfc_AniKQk8-8j_I4DoJ4fr1P8tVb9ctyL5ZsFMDKEr_iH-nOvlTAAAAAB_OMgCTBwAAdgIAAAIAAADrIRwBhWwHAAAAAQBVU0QAVVNEACwB-gDOcAAAKrEAAgUAAQIAAJQAdyjKKwAAAAA./cnd=!uwYZQAij-6kCEOvD8AgYhdkdIAA./referrer=http://session.masteringaandp.com/myct/assignments/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=nym1CLCnjcCi6b_EfxACGMurvbvdhbLfWSILNzIuNzQuNDIuNjkoATCn9eSfBQ..&tag=3329567

http://ams1.ib.adnxs.com/click?n6G3P82tK0Cfobc_za0rQAAAAAAAACxAn6G3P82tK0Cfobc_za0rQECRoY7cm9Ruff3_7jCUnFSH5AVUAAAAABEsIgB2AgAAdgIAAAIAAAARkP8A1YYFAAAAAQBVU0QAVVNEANgCWgABYQAA2bcAAgQAAQIAAIwAViY9IQAAAAA./cnd=!NQYJOwjA440CEJGg_gcY1Y0WIAQ./referrer=http://www.download366.com/windows-live-mail/thanks/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=ams1CP36__eOhqXOVBACGMCihvXI-6bqbiINOTAuMTMuMTEwLjE4MCgBMIfJl6AF&tag=2239505

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):

Remove setup.exe - Powered by Reason Core Security