youku_downloader_setup_ry.exe

The application youku_downloader_setup_ry.exe has been detected as a potentially unwanted program by 21 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from software-files-a.cnet.com and multiple other hosts.
MD5:
9bf7c466be15b46e029a246679f9957d

SHA-1:
4a3173d7115a8cb1129bb7eda7c6d64fde634cbe

SHA-256:
b425450711348f0ae5cdb108f8bc275734f49bbed31b7e67a8fd10aad63d4994

Scanner detections:
21 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
11/23/2024 10:26:32 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OutBrowse
7.1.1

avast!
Win32:PUP-gen [PUP]
2014.9-140504

AVG
MalSign.OutBrowse
2015.0.3485

Baidu Antivirus
Hacktool.Win32.OutBrowse
4.0.3.1454

Comodo Security
Application.Win32.OutBrowse.~A
18121

Dr.Web
Adware.Downware.1770
9.0.1.0124

ESET NOD32
Win32/OutBrowse (variant)
8.9690

Fortinet FortiGate
Riskware/NSIS_OutBrowse
5/4/2014

G Data
Win32.Application.OutBrowse
14.5.24

IKARUS anti.virus
not-a-virus:Downloader.NSIS
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.176.11784

Kaspersky
not-a-virus:Downloader.NSIS.OutBrowse
14.0.0.3918

Malwarebytes
PUP.Optional.OutBrowse
v2014.05.04.09

McAfee
Artemis!9BF7C466BE15
5600.7141

NANO AntiVirus
Trojan.Win32.OutBrowse.csrlza
0.28.0.59288

Quick Heal
Trojan.NSIS.OutBrowse.b
5.14.12.00

Sophos
OutBrowse
4.98

Trend Micro House Call
TROJ_SPNR.0BDF14
7.2.124

Trend Micro
TROJ_SPNR.0BDF14
10.465.04

Vba32 AntiVirus
Downloader.OutBrowse
3.12.26.0

VIPRE Antivirus
OutBrowse
28330

File size:
616 KB (630,762 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

File PE Metadata
Compilation timestamp:
12/6/2009 6:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:JpFyhCfsMntd1zdwVWyK1EzotWlj+kzVX0xp+lHTNo5uLMxHeXAkepYsq4e:JvyhCfsMtpwof1EzotWln3M6VXopa4e

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9785

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file youku_downloader_setup_ry.exe has been seen being distributed by the following 2 URLs.

Remove youku_downloader_setup_ry.exe - Powered by Reason Core Security