home

setup.exe

TapGamez 2013 LTD

The application setup.exe by TapGamez 2013 has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from 3ydrx.ieffch.com. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Installer  (signed by TapGamez 2013 LTD)

Product:
Installer

Version:
1.51.0.0

MD5:
a3e0807ac9adb53b4ff36c4c0c702cd9

SHA-1:
c518219660f12494bac7356147908e487e6ee1fc

SHA-256:
7a728130367af12b6049500bbf1689de3442f71baa0f5fb24c4b3acc423204aa

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/2/2024 1:40:37 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.TapGamez.TapGamez2013.Installer (M)
16.2.23.11

File size:
965.6 KB (988,752 bytes)

Product version:
1.51.0.0

Copyright:
Copyright (C) 2015

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
TapGamez 2013 LTD

Authority:
COMODO CA Limited

Valid from:
12/15/2014 6:00:00 PM

Valid to:
12/16/2015 5:59:59 PM

Subject:
CN=TapGamez 2013 LTD, O=TapGamez 2013 LTD, STREET=1 habarzel st., L=tel aviv, S=israel, PostalCode=69710, C=IL

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00BD65286DA248840F6ECF8F4305066E9F

File PE Metadata
Compilation timestamp:
3/9/2015 6:05:52 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:jCBKnfjM62ObthzypxIecnLTSfrQoKV+1hb74:zLegCIecnLTSfwV+1hv4

Entry address:
0x625EF

Entry point:
E8, 92, 56, 00, 00, E9, 7F, FE, FF, FF, 51, C7, 01, 0C, 95, 48, 00, E8, 77, 5C, 00, 00, 59, C3, 55, 8B, EC, 8D, 41, 09, 50, 8B, 45, 08, 83, C0, 09, 50, E8, D6, 5B, 00, 00, F7, D8, 59, 1B, C0, 59, 40, 5D, C2, 04, 00, 55, 8B, EC, 56, 8B, F1, E8, C9, FF, FF, FF, F6, 45, 08, 01, 74, 07, 56, E8, D0, F5, FF, FF, 59, 8B, C6, 5E, 5D, C2, 04, 00, 55, 8B, EC, 5D, E9, 14, 00, 00, 00, 55, 8B, EC, 6A, 0A, 6A, 00, FF, 75, 08, E8, 5A, 61, 00, 00, 83, C4, 0C, 5D, C3, 55, 8B, EC, 6A, 0A, 6A, 00, FF, 75, 08, E8, 5E, 5E, 00...
 
[+]

Entropy:
6.5814

Code size:
521 KB (533,504 bytes)

The file setup.exe has been seen being distributed by the following URL.

http://3ydrx.ieffch.com/.../?p=ZXh0c3lzPTQmYWZmaWQ9MTEyMiZjaWQ9MTAwJmNyPTEwMCZsb2M9ZW4mb2lkPTE2JnJlcWlkPTEwMjRmZmMyYmZlZTdhOWYyZGJlMzc3Nzc4NjFmMA==

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.