setup.exe

The executable setup.exe has been detected as malware by 50 anti-virus scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. The file has been seen being downloaded from interia.pl and multiple other hosts.
MD5:
3a615b133b74066bc415e9ec682059c3

SHA-1:
ed1d9cd2103b65a86c99ebbfdeb57be3b464f9fb

SHA-256:
14078cbc1888af9d949ee27b1499a19f5889205a8beab20b77d908c04cc870fc

Scanner detections:
50 / 68

Status:
Malware

Analysis date:
12/25/2024 7:33:23 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1645984
997

Agnitum Outpost
Trojan.PWS.Fareit
7.1.1

AhnLab V3 Security
Trojan/Win32.Ransomlock
14.05.14

Avira AntiVirus
TR/Fareit.A.86
7.11.149.54

avast!
Win32:Zbot-TMC [Trj]
2014.9-140514

AVG
Generic36
2015.0.3475

Baidu Antivirus
Trojan.Win32.Fareit
4.0.3.14514

Bitdefender
Trojan.GenericKD.1645984
1.0.20.670

Comodo Security
TrojWare.Win32.Injector.BBSG
18263

Dr.Web
Trojan.PWS.Panda.5676
9.0.1.0134

Emsisoft Anti-Malware
Trojan.GenericKD.1645984
8.14.05.14.08

ESET NOD32
Win32/PSW.Fareit
8.9791

Fortinet FortiGate
W32/Fareit.A!tr.pws
5/14/2014

F-Secure
Trojan.GenericKD.1645984
11.2014-14-05_4

G Data
Trojan.GenericKD.1645984
14.5.24

IKARUS anti.virus
Trojan-Spy.Zbot
t3scan.1.6.1.0

K7 AntiVirus
Password-Stealer
13.177.12041

Kaspersky
Trojan-PSW.Win32.Fareit
14.0.0.3868

Malwarebytes
Spyware.Zbot.ED
v2014.05.14.08

McAfee
Downloader-FYH!3A615B133B74
5600.7131

Microsoft Security Essentials
PWS:Win32/Zbot
1.10502

MicroWorld eScan
Trojan.GenericKD.1645984
15.0.0.402

NANO AntiVirus
Trojan.Win32.Inject.cwjtxc
0.28.0.59826

Norman
DLoader.UPA
11.20140514

nProtect
Trojan.GenericKD.1645984
14.05.12.01

Panda Antivirus
Trj/Genetic.gen
14.05.14.08

Qihoo 360 Security
HEUR/Malware.QVM07.Gen
1.0.0.1015

Quick Heal
TrojanDownloader.Upatre.A4
5.14.14.00

Sophos
Mal/Zbot-QT
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Reveton
10606

Total Defense
Win32/CInject.ANReUJC
37.0.10933

Trend Micro House Call
TSPY_FAREIT.SMT5
7.2.134

Trend Micro
TROJ_GEN.R0CBC0EDL14
10.465.14

Vba32 AntiVirus
BScope.Malware-Cryptor.Hlux
3.12.26.0

VIPRE Antivirus
Trojan.Win32.Generic
29154

File size:
100 KB (102,400 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\setup.exe

File PE Metadata
Compilation timestamp:
4/6/2014 7:34:28 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.0

CTPH (ssdeep):
1536:LUwIUzQx+ZZzrRNqK4G5ehsXbq9z0jtT8OGlC9fE69W/wNm2fiFfaLwYRj0lkoD:wTFx+zD9ehua0jjGqjWIdOiwYRjyT

Entry address:
0x1D22

Entry point:
55, 8B, EC, 6A, FF, 68, C8, 49, 40, 00, 68, 46, 35, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, 5F, 57, E8, 1A, F3, FF, FF, 90, 59, 83, 0D, 58, 64, 40, 00, FF, 83, 0D, 5C, 64, 40, 00, FF, E8, A5, 03, 00, 00, 90, 8B, 0D, 4C, 64, 40, 00, 89, 08, E8, 17, 08, 00, 00, 90, 8B, 0D, 48, 64, 40, 00, 89, 08, A1, 58, 42, 40, 00, 8B, 00, A3, 54, 64, 40, 00, E8, C6, 09, 00, 00, 39, 1D, E0, 60, 40, 00, 75, 0C, 68, 26, 11, 40, 00, 90, 90...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
12 KB (12,288 bytes)

The file setup.exe has been seen being distributed by the following 2 URLs.

Remove setup.exe - Powered by Reason Core Security