setup.exe

MARi MARa

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application setup.exe by MARi MARa has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. The file has been seen being downloaded from get.0134h.info.
Publisher:
NPEES  (signed by MARi MARa)

Product:
NPEES

Version:
824.1568.829.195

MD5:
afddb3356b0e44d93db827c496436e77

SHA-1:
c98de0ff3f03c58bed622ce827f5fcf5f5965de7

SHA-256:
012428258a176db5ffade6b14946459b1b503ba0cf1c496a18f1f84855ca282f

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/23/2024 9:57:44 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse (M)
16.7.27.16

File size:
758.3 KB (776,520 bytes)

Product version:
824.1568.829.195

Copyright:
NPEES

Trademarks:
NPEES

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
6/7/2015 9:00:00 PM

Valid to:
12/17/2015 9:59:59 PM

Subject:
CN=MARi MARa, O=MARi MARa, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
50E3D498F56FC6D5B1D3FE3A3182461C

File PE Metadata
Compilation timestamp:
12/5/2009 8:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:+30SRA2aHd8lBDgc46VjPEP4DP7gXJMp8dRNbtQ6S2CqRimODH9eTIfc8vy4hj:+3/7gc4Iq4b7rWFe92emOr9It86c

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file setup.exe has been seen being distributed by the following URL.

Remove setup.exe - Powered by Reason Core Security