setup.exe

STart pLaying

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application setup.exe by STart pLaying has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from dl.file23desktop.com.
Publisher:
SWUMG  (signed by STart pLaying)

Product:
SWUMG

Version:
463.15530.805.5836

MD5:
840d267b2467011e7e3d728a23d91a4c

SHA-1:
f7f695599c5f14662899d8c7d91a2c3a9a0ad889

SHA-256:
e43951060a1d8e2c56328578d5aff4e51443a98ab3789ad9401cffe4f139d779

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
12/25/2024 12:11:02 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.06.03

AVG
Downloader
2016.0.3090

Dr.Web
Trojan.OutBrowse.739
9.0.1.05190

ESET NOD32
Win32/OutBrowse.CE potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/OutBrowse
6/2/2015

K7 AntiVirus
Unwanted-Program
13.204.16117

Kaspersky
not-a-virus:AdWare.Win32.OutBrowse
15.0.0.543

McAfee
Artemis!82AEB81DF8CD
5600.6746

Reason Heuristics
PUP.Outbrowse.Bundler
15.6.2.15

Trend Micro House Call
Suspici.EAD97A79
7.2.153

VIPRE Antivirus
Threat.4150696
40552

File size:
744.5 KB (762,320 bytes)

Product version:
463.15530.805.5836

Copyright:
SWUMG

Trademarks:
SWUMG

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
5/28/2015 1:00:00 AM

Valid to:
12/11/2015 11:59:59 PM

Subject:
CN=STart pLaying, O=STart pLaying, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
2447D23F86DE57428433972F0A8394A5

File PE Metadata
Compilation timestamp:
12/5/2009 10:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:pKL/xzu/dBcT8syw5OsdiZzdwsRhrmU2wY+XbI2Bh8T2r1go8X03GVs4sqtFafcI:pKL/xz4TcT8s95Os8w+rmU2wcY8iBZNX

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9839

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file setup.exe has been seen being distributed by the following URL.

Remove setup.exe - Powered by Reason Core Security