home

setup_online.exe

Fuyuan Zhou

The application setup_online.exe by Fuyuan Zhou has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from x.rafomedia.com and multiple other hosts.
Publisher:
Fuyuan Zhou  (signed and verified)

MD5:
c12c9d85c64709c9a166437811ed4665

SHA-1:
1dd17f01c9c59864d093fc16049bc9bcf92c1899

SHA-256:
07e45c6a84a7ce2d73e6e889acb6211ff07e87c25ecc356b9fa149de7102d6e1

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/10/2025 5:38:46 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.8.5.2

File size:
461.4 KB (472,448 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\setup_online.exe

Digital Signature
Signed by:
Fuyuan Zhou

Authority:
thawte, Inc.

Valid from:
8/4/2016 3:00:00 AM

Valid to:
6/22/2017 2:59:59 AM

Subject:
CN=Fuyuan Zhou, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
2D0CB6E3DC3A12D7CBCD35A38BE4422E

File PE Metadata
Compilation timestamp:
8/4/2016 11:50:45 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
6144:M9XE4iiVnj59j57D9neWdjy0zIXq1lU1PjrMuxtFiAsjMq6BWa31/idR:cXEfiVj5X7D9Vy21li5zFiF0cS/wR

Entry address:
0x386BB

Entry point:
BB, 7B, 3D, 00, 00, 86, C5, C6, 95, 96, 94, 11, E6, EE, 70, 00, BB, 78, B8, 57, E6, 48, 00, 00, 00, 00, 6D, 1D, 12, 6B, 08, BB, D0, 11, 62, 9D, 86, B3, 27, 99, 58, F9, B0, A5, 4F, AB, CF, CA, BE, DA, B5, BA, C7, 95, E2, 26, D8, 71, 80, C7, BB, 59, CD, B3, CC, 9D, AC, F1, 95, 96, 94, 64, 26, B2, 35, 00, 00, 00, 00, BE, 2B, 61, 34, 41, 0D, 4F, 38, 11, 1B, 62, DA, 18, BE, A4, 92, D3, 54, 7F, 00, 5A, AE, 64, BD, 38, C9, 94, 75, C9, B3, CC, 90, BA, B5, 2F, 9D, 0F, 97, 00, 00, 00, 00, C2, F6, 1C, 57, 90, 70, 00...
 
[+]

Entropy:
7.0948

Code size:
354 KB (362,496 bytes)

The file setup_online.exe has been seen being distributed by the following 5 URLs.

http://x.rafomedia.com/stc?rq=NA-default-720-606-1-99a04146-be0c-4cf0-9a12-4669f95d684f

http://x.rafomedia.com/stc?rq=NA-default-720-606-1-40e36e57-4eb2-4a93-ae9d-350d614fcc8f

http://x.rafomedia.com/stc?rq=NA-default-720-606-1-6ad21f26-81aa-4274-add4-4f29eab55143

http://x.rafomedia.com/stc?rq=NA-default-720-633-1-aa7f9c3d-340f-40ad-a676-e8e0b9363aa5

http://x.rafomedia.com/stc?rq=NA-default-720-606-1-3608d255-307c-4b2a-bc4e-b623fb6f9265

Remove setup_online.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.