setup.exe

Installer

Stepitapp LLC

The application setup.exe by Stepitapp has been detected as adware by 14 anti-malware scanners. The file has been seen being downloaded from fra1.ib.adnxs.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Stepitapp LLC  (signed and verified)

Product:
Installer

Version:
1.0.0.0

MD5:
65a9bfa3198c692c5a3a2512f9301adc

SHA-1:
cc228701ae7d47d03eed50319896e54191750cb2

SHA-256:
ef0a0e5489f071598d19e4bdd4d02bfcc75cbf662cb9cbe2720adcdbb3c4532a

Scanner detections:
14 / 68

Status:
Adware

Explanation:
Part of the Conduit/ClientConnect toolbar/extension distribution.

Analysis date:
12/25/2024 4:47:01 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
2014.9-141008

Dr.Web
Adware.Downware.5822
9.0.1.0281

Fortinet FortiGate
Riskware/Agent
10/8/2014

G Data
Win32.Trojan.Agent.4P134N
14.10.24

IKARUS anti.virus
Trojan.Win32.Agent
t3scan.1.6.1.0

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.3132

McAfee
Artemis!17FD46A07B73
5600.6983

Panda Antivirus
Trj/Chgt.I
14.10.08.02

Qihoo 360 Security
Malware.Radar03.Gen
1.0.0.1015

Quick Heal
Downloader.Agent.r3 (Not a Virus)
10.14.14.00

Reason Heuristics
PUP.Installer.Stepitapp.F
14.10.8.14

Trend Micro House Call
TROJ_GEN.F47V0516
7.2.281

Vba32 AntiVirus
Downloader.Agent
3.12.26.3

VIPRE Antivirus
Conduit
33712

File size:
407.1 KB (416,824 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2013

Original file name:
FinalInstaller.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\low\content.ie5\uyf6aw2d\setup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
12/10/2013 4:00:00 PM

Valid to:
12/11/2014 3:59:59 PM

Subject:
CN=Stepitapp LLC, O=Stepitapp LLC, POBox=1252, STREET=9 W. 31st Street, L=Bayonne, S=New Jersey, PostalCode=07002, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EA7DEF51F4F715C2C81433CCD6B15766

File PE Metadata
Compilation timestamp:
9/29/2014 1:11:19 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:4ka9AFphibqI59Pk2cb7pUmJ0ftRdlxa8:4ka9ArhibqIjk2cvpUmJ0vdlxa8

Entry address:
0x6392E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.1406

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
390.5 KB (399,872 bytes)

The file setup.exe has been seen being distributed by the following 25 URLs.

http://fra1.ib.adnxs.com/click?ctFvfuRlK0By0W9-5GUrQAAAAAAAADRActFvfuRlK0By0W9-5GUrQBL2PLWAJEMXngYWrYkaB3J9-TpUAAAAACQsIgB2AgAAdgIAAAIAAAARkP8A1YYFAAAAAQBVU0QAVVNEANgCWgABYQAA8ckAAgQAAQIAAIwApSHihgAAAAA./cnd=!NQYJOwjA440CEJGg_gcY1Y0WIAQ./referrer=http://www.win-install.com/microsoft-word/thanks/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=fra1CJ6N2Oia0caDchACGJLs86mLkMmhFyINOTIuOTEuMjUwLjIwOSgBMP3y66EF&tag=2239524

http://ams1.ib.adnxs.com/click?TACZZ8oEwD8xCKwcWmS7PzEIrBxaZLs_S11eequCAkApVYDMTaYFQA8zksf6SnBuEMaipoc8pTRFMjpUAAAAAIHBMgBfAAAAdgIAAAIAAABx_SkBq0wHAAAAAQBVU0QAVVNEANgCWgDRSAAAwtIAAgUAAQIAAJQANCKFYQAAAAA./cnd=!HwY7OQiLsJUCEPH6pwkYq5kdIAA./referrer=http://www.driverupdate.net/lp/1/?aps=ad_vista_lp1&k=Windows Vista Drivers&partner=1015&utm_campaign=driverupdate&utm_source=1015&utm_medium=cpc&utm_term=vista&tid2=449455890&tid3=33058/clickenc=http://www.mydownloadhome.com/.../201?pub_id=90&sub_id=ams1CJCMi7X6kM_SNBACGI_myLys35K4biIMMi4yMTguMjU0LjgwKAEwxeTooQU.&tag=3326337

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove setup.exe - Powered by Reason Core Security