setupytd.exe

YTD Video Downloader

Greentree Applications SRL

The application setupytd.exe by Greentree Applications SRL has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from youtubedownload.altervista.org and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.
Publisher:
Greentree Applications SRL  (signed and verified)

Product:
YTD Video Downloader

Version:
4.8.4

MD5:
477a9e92623f05e4e2b25ba5bf072dc0

SHA-1:
dbde9ee59d153fa91c704a575c622addbaaf2ad9

SHA-256:
e49063e7d5216ab7588569cc85fe3f9f053895773e77e3d01606a8da0cad73aa

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
This is part of a Greentree bundled installer, which includes various adware, toolbars and co-bundled potentially unwanted apps pushed to the user upon setup.

Analysis date:
12/25/2024 7:52:02 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Greentree
2015.0.3359

Dr.Web
Adware.BGuard.24
9.0.1.0249

ESET NOD32
Win32/Toolbar.Widgi (variant)
8.10365

Malwarebytes
PUP.Optional.Spigot
v2014.09.06.02

McAfee
Artemis!477A9E92623F
5600.7015

Reason Heuristics
PUP.Optional.Installer.I
14.9.6.14

File size:
10.5 MB (11,040,312 bytes)

Product version:
4.8.4.0.6

Copyright:
Copyright © 2007-2014 GreenTree Applications SRL

Original file name:
Uninstall.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Engleski (Sjedinjene Države)

Common path:
C:\users\{user}\downloads\setupytd.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
5/21/2013 2:00:00 AM

Valid to:
7/21/2015 1:59:59 AM

Subject:
CN=Greentree Applications SRL, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Greentree Applications SRL, L=Bucharest, S=Bucharest, C=RO

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
78DC92DC061211DFE51480E9347F91C8

File PE Metadata
Compilation timestamp:
2/24/2012 8:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
196608:fPU7e/i6wN3wZywe1c+RPz2R9EkM1FucNXcbpdYUQ3fk0W+XSS7lDt:D/i69yNtr2R9EkuFuYsbpdYdk0fHRt

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file setupytd.exe has been seen being distributed by the following 3 URLs.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (95.211.187.107:80)

Remove setupytd.exe - Powered by Reason Core Security