home

setup_3017g.exe

Video-AdBlock

The executable setup_3017g.exe, “Video-AdBlock Setup ” has been detected as malware by 6 anti-virus scanners. The program is a setup application that uses the Inno Setup installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from twelveaward.com.
Product:
Video-AdBlock

Description:
Video-AdBlock Setup

MD5:
73ea08e2d7bc78ed8dbf4e0ed06b19df

SHA-1:
836975254fa71d52d165c551259ef90c6433cf7d

SHA-256:
f7b48f9f315b799391add3cac51dc234df9817458c2c4510039d2084f1613bbf

Scanner detections:
6 / 68

Status:
Malware

Analysis date:
11/27/2024 8:33:04 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:SaliCode
160518-2

ESET NOD32
Win32/Sality.NBA virus
8.0.319.0

F-Prot
W32/Sality.gen2
4.6.5.141

Kaspersky
Virus.Win32.Sality
15.0.0.562

Microsoft Security Essentials
Threat.Undefined
1.223.2886.0

VIPRE Antivirus
Threat.4721115
50350

File size:
507.7 KB (519,902 bytes)

Product version:
1.0.0.38

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\setup_3017g.exe

File PE Metadata
Compilation timestamp:
6/20/1992 2:52:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:+QiYzp6YygMJjdRbvTg0UUl42cATvxsZh6Qz7o:+QiYp3avJlvcAb+Ho

Entry address:
0xA5F8

Entry point:
22, C6, C7, C0, 97, FB, 02, 11, 80, C0, F5, 88, C1, B9, 2C, 09, A9, F1, C6, C5, B9, 0F, BE, C9, 0F, AF, DA, 0F, BE, CC, 8D, 3D, D2, 7F, C6, 39, 8D, 2D, 30, B0, 12, D5, 80, E7, 4B, 4B, BF, 5B, DC, E1, 4C, BA, 1E, E9, DC, F2, 8A, D2, 87, CA, 8B, DF, 3D, F5, AC, 00, 00, 73, 03, F3, 84, F9, 8D, 1D, 3A, 9B, 41, 85, 56, 5B, 33, C9, 87, CB, 1B, DF, 43, 8D, 11, FF, CB, B9, 6F, 1B, E8, 3A, 8B, FA, F2, 69, DE, 85, B6, A5, C0, 89, F3, 85, C6, 57, 0F, B7, C8, 0F, B7, CD, 5D, 86, F6, 22, FC, 55, EB, 02, F2, F2, 5E, FE...
 
[+]

Entropy:
7.9423  (probably packed)

Code size:
39.5 KB (40,448 bytes)

The file setup_3017g.exe has been seen being distributed by the following URL.

http://twelveaward.com/.../setup_3017g.exe

Remove setup_3017g.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.