yosetup.exe

Pavel Repkin

The application yosetup.exe by Pavel Repkin has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
Pavel Repkin  (signed and verified)

MD5:
8daa5ea5e475fcd153ad48403518cc14

SHA-1:
c59af70e410b05006a7cc98832053d5fe548265e

SHA-256:
55be8578e8f5ac6301a6791eb30bbd362461e17b653063b087a29e90a77ac5fe

Scanner detections:
8 / 68

Status:
Adware

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/27/2024 8:35:57 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Trojan.Win32.Agent
4.0.3.14115

Bkav FE
W32.Clod085.Trojan
1.3.0.6185

ESET NOD32
8.10619

G Data
Win32.Adware.OpenCandy
14.11.24

Malwarebytes
PUP.Optional.OpenCandy
v2014.11.05.02

Reason Heuristics
PUP.Installer.PavelRepkin.H
14.11.5.14

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.141103

Sophos
OpenCandy
4.98

File size:
7.6 MB (7,938,224 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\logiciels\météo\yosetup.exe

Digital Signature
Signed by:

Authority:
StartCom Ltd.

Valid from:
8/30/2011 4:17:25 AM

Valid to:
8/30/2013 11:50:27 AM

Subject:
E=pavel.repkin@gmail.com, CN=Pavel Repkin, L=Saint Petersburg, S=Saint Petersburg City, C=RU, Description=496726-6lnbyJoXvJM0x5wb

Issuer:
CN=StartCom Class 2 Primary Intermediate Object CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL

Serial number:
03ED

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:uVkt4QVkKZVJEvd5i+fi9hBz+V/U6D3seej8E/1An7GjQjlL0smqbvI6xsBN6n9/:uVi4YJGd0tcV/U6D8eFiaHN06vI4k8nJ

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

Remove yosetup.exe - Powered by Reason Core Security