wecpsetup.exe

Open Source Developer

The application wecpsetup.exe by Open Source Developer has been detected as a potentially unwanted program by 13 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. According to Microsoft Security Essentials, the software includes a bundle of the DealPly adware which is installed on a user's PC during setup using the InstallCore platform. The file has been seen being downloaded from fs1.filepuma.com and multiple other hosts.
Publisher:
Open Source Developer  (signed and verified)

MD5:
1026ed691ac79362cc051cf68682073c

SHA-1:
859f5964597535c276be38638aaf9830f7fe7027

SHA-256:
ea397583a8d69ea337b1dc1478da08e64ae160d40c5763a02bcbfa0a3ef4bc8c

Scanner detections:
13 / 68

Status:
Potentially unwanted

Explanation:
This software bundler installs other potentially unwanted software, including DealPly. Which includes offers in a user's web browser which state they are "Powered by DealPly".

Analysis date:
12/24/2024 5:02:04 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.InstallCore
2014.01.03

Dr.Web
Adware.InstallCore.80
9.0.1.0359

ESET NOD32
Win32/InstallCore.AZ (variant)
7.9241

Fortinet FortiGate
Riskware/InstallCore
12/25/2013

F-Prot
W32/InstallCore.W.gen
v6.4.7.1.166

IKARUS anti.virus
SoftwareBundler
t3scan.2.2.29

K7 AntiVirus
Trojan
13.174.10689

Microsoft Security Essentials
1.165.247.01

nProtect
Adware/W32.Agent.1193424
14.01.01.01

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.131223

Trend Micro House Call
ADW_DEALPLY
7.2.359

Trend Micro
ADW_DEALPLY
10.465.25

Vba32 AntiVirus
BScope.P2P-Worm.Palevo
3.12.24.3

File size:
1.1 MB (1,193,424 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\wecpsetup.exe

Digital Signature
Authority:
Unizeto Technologies S.A.

Valid from:
7/11/2012 7:34:47 AM

Valid to:
7/11/2013 7:34:47 AM

Subject:
E=admin@devlopex.com, CN=Open Source Developer, OU=Open Source Developer, O=Open Source Developer, C=CY

Issuer:
CN=Certum Level III CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:
3B0D24754C74CB103F49DCDB864049BD

File PE Metadata
Compilation timestamp:
6/19/1992 11:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:LmuvyQzYd+alLOjmRiX8NSAf86tsXyt0LzdO8llWiB64f:Lm4qL2mRiMNSQ86tsXyt01OWUiT

Entry address:
0xD6630

Entry point:
55, 8B, EC, 83, C4, F0, B8, 10, E1, 40, 00, E8, E2, F7, FF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
869.5 KB (890,368 bytes)

The file wecpsetup.exe has been seen being distributed by the following 3 URLs.

http://fs1.filepuma.com/download_mirror/1358827272/V2luZG93c19Fc3NlbnRpYWxzX0NvZGVjX1BhY2tfdjQuNC5leGU=/.../Windows_Essentials_Codec_Pack_v4.4.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 92b91b35.rdns.100tb.com  (146.185.27.53:80)

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (199.58.87.151:80)

TCP (HTTP):
Connects to ec2-54-232-222-104.sa-east-1.compute.amazonaws.com  (54.232.222.104:80)

TCP (HTTP):
Connects to ec2-54-154-109-8.eu-west-1.compute.amazonaws.com  (54.154.109.8:80)

TCP (HTTP):
Connects to ec2-52-49-170-39.eu-west-1.compute.amazonaws.com  (52.49.170.39:80)

TCP (HTTP):
Connects to 50.115.122.45.static.westdc.net  (50.115.122.45:80)

Remove wecpsetup.exe - Powered by Reason Core Security