» vdownloader_setup.exe
Overview
Analysis
File Details
Downloads (7)

vdownloader_setup.exe

Bafedeluh

FlashFunnel (Alpha Criteria Ltd.)

The application vdownloader_setup.exe, “Bafedeluh Setup ” by FlashFunnel (Alpha Criteria) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.capitalsharetours.com and multiple other hosts.

File name:

Publisher:

Dokako (signed by FlashFunnel (Alpha Criteria Ltd.))

Product:

Bafedeluh

Description:

Bafedeluh Setup

MD5:

97a98773ebe139a9257ca3e85b6ca214

SHA-1:

1fc8196073a346901010795a7a5ceb04c4c98713

SHA-256:

9d5b5ad48255decfaf08670298eac725f2cb6da73fbff01d52f7f87389b0f899

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

11/6/2024 4:30:48 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.InstallCore.AC (M)

16.8.4.2

File size:

1.2 MB (1,266,920 bytes)

Product version:

5.8.3

Stub wizard

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore (using Inno Setup)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\vdownloader_setup.exe

Digital Signature

Signed by:

FlashFunnel (Alpha Criteria Ltd.)

Authority:

GlobalSign nv-sa

Valid from:

1/6/2016 3:33:56 PM

Valid to:

8/20/2016 3:41:12 PM

Subject:

CN=FlashFunnel (Alpha Criteria Ltd.), O=FlashFunnel (Alpha Criteria Ltd.), L=Tel Aviv, C=IL

Issuer:

CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:

1121E4C7AF870B5B414237A93853C74D7486

File PE Metadata

Compilation timestamp:

6/19/1992 11:22:17 PM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:LHiS6eoVdQ+ZFj+v7iV7W23f8E4pdl7uF:LCy+ZF6u1130Hnu

Entry address:

0xA5F8

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55... 
[+]

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

39.5 KB (40,448 bytes)

The file vdownloader_setup.exe has been seen being distributed by the following 7 URLs.

http://www.capitalsharetours.com/s9nLDKQPV4Z5 IATHPnFO 9UT_YQtm33d7pcctdBQUaPtkzn74TIC85BfdMxgncebnkbsW O6Kv2PXRhyNKfWB0 9 FhahteY7VP47e6Bp67d42kpqJbH GJ7RK1LHNsxovu6HrCZhxbOo c4H uJxs4ebEO5w==-Gy0AAATqZLEpSWg2od1Us2dgAw6cAgoCW AesA3EjVfoZDJFpfOBto0H

http://www.capitalsharetours.com/UhQlLJ5OZ3gI2toISI6dktoGe2Z EAIeN2oBBDV2GATYjPbB1GaiT6CxHygVUkLBUoUtUURfQxp2YAr TE0HbnuStrbhioQlfxMzyXMKi4sZkX96DfIORG4O6qXJ6bSUvBFPMtq j_FV2izGlA40N9_U 3fn2A==-Gy0AAATqZLEpSWg2od1Us2dgAw6cAgoCW AesA3EjVfoZDJFpfOBto0H

http://www.capitalsharetours.com/QS3q6wevhiCbm1Ni2G8VHd0sLevs4hKBRYtLAwSJJQ5RqZGSAJ9YqTb18x8wggkFHxcNVMc6kQ OeASB5Rq7MdB5AGl8gcnfbU5BIQUNUJp3mjPyfI_WG6iFwdcGUdOkWfsjoHY0BUZNZw3ruL r5mJN3E9prw==-Gy0AAATqZLEpSWg2od1Us2dgAw6cAgoCW AesA3EjVfoZDJFpfOBto0H

http://www.capitalsharetours.com/58JEbQ gN01sd84sEYTwT4QKAPGKhU7FTKJDr9BemvX1HFugNlfF1h9VDsN3LeBKdPFlEVBj3OPMyOd8IKvfR Ih0k 6_cScTQ9ptrKNdsTRATuLg9CTIqPKG9Pe1wejcfKiBv_K2SEZu_1TJMFGFEGae4uVTA==-Gy0AAATqZLEpSWg2od1Us2dgAw6cAgoCW AesA3EjVfoZDJFpfOBto0H

http://www.capitalsharetours.com/ 4dLunQ09 mNXGVSYfM4blFrKTHeofQU4lZYipHdfupwzbbc c Gan9zEoVcvNIBIsHbpuszm 3jYnbnV2RaxhqQBBYFHqCyhKM6MFmgzBtZIDRTKaZtxSMYgV8OSGWg HgnPSubaZyZDeCmFmsNe3uy5nsqqQ==-Gy0AAATqZLEpSWg2od1Us2dgAw6cAgoCW AesA3EjVfoZDJFpfOBto0H?EsetProtoscanCtx=db84060

http://www.capitalsharetours.com/P5e7lV_wxygfm08G21a2eLhTqJeTGbFbGj8Xe SvCfni5tHKLHMUytt1Cv8ndVkNpc3xJS40Va5obyCNmh0Qqnunn_zBDDl3GkL_juyMrJUecnO4ln1AcUOv6Tmf_UkJ5lDKjjMj5EI_AyBytba nNMbn5f1 w==-Gy0AAATqZLEpSWg2od1Us2dgAw6cAgoCW AesA3EjVfoZDJFpfOBto0H

http://www.capitalsharetours.com/ypg XBTD3kZP7AHCyVy6yuk_yKo1YWHG5KsqhhstykvBV7c4sFFCCEywxkTHGindoOP4KKZ54fOZ5EHHkBHSRG2 B0johmIlchCgafoYsTjuXBW3Rfloip2fb4ZvVIT_PSLyJXUlaYLwGpQ6MrlxMO8LpX7mwQ==-Gy0AAATqZLEpSWg2od1Us2dgAw6cAgoCW AesA3EjVfoZDJFpfOBto0H

Remove vdownloader_setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.