setup_ra.exe

The application setup_ra.exe has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from wpc.0952.edgecastcdn.net and multiple other hosts.
MD5:
7fc85a306e8d76722c4ecd2465895e4e

SHA-1:
723e1383cb351d28cff314008cf790e919286ebb

SHA-256:
20be43f1c8454341539ab0da57161d0f19c7f9a860f6c7a9f2514a3fab5bc697

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
12/24/2024 3:33:48 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
PUA.Win32.InstallCore
4.0.3.14530

Dr.Web
Adware.Downware.3968
9.0.1.0150

Emsisoft Anti-Malware
Application.Win32.InstallAd
11.5.0.6191

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.14528

SUPERAntiSpyware
Trojan.Agent/Gen-Downloader
10573

Trend Micro House Call
TROJ_GEN.F47V0430
7.2.150

File size:
236.1 KB (241,728 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\setup_ra.exe

File PE Metadata
Compilation timestamp:
12/5/2009 8:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:Ge34swp8OXQ75+ZPPfnE2Qyn20UuWzA3MWYT+vy4h2:TwpqF+ZPPfnEUn5fc8vy4h2

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file setup_ra.exe has been seen being distributed by the following 2 URLs.

http://wpc.0952.edgecastcdn.net/800952/.../setup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-23-23-74-144.compute-1.amazonaws.com  (23.23.74.144:80)

TCP (HTTP):
Connects to server-54-230-52-170.jfk6.r.cloudfront.net  (54.230.52.170:80)

TCP (HTTP):
Connects to ec2-54-243-156-206.compute-1.amazonaws.com  (54.243.156.206:80)

TCP (HTTP):
Connects to ec2-54-235-129-220.compute-1.amazonaws.com  (54.235.129.220:80)

TCP (HTTP):
Connects to ec2-54-203-247-161.us-west-2.compute.amazonaws.com  (54.203.247.161:80)

Remove setup_ra.exe - Powered by Reason Core Security