ytd.exe

YTD Video Downloader

ProInstall Applications SRL

The application ytd.exe by ProInstall Applications SRL has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address server-54-230-163-118.jax1.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
GreenTree Applications SRL  (signed by ProInstall Applications SRL)

Product:
YTD Video Downloader

Version:
5, 8, 2, 1

MD5:
53fafedcc195e2a50b45997eed6edb88

SHA-1:
6c9385f953147e13fd4478b81a8c63fa3aa9dca6

SHA-256:
7caff78c6848f5e1e76ec349f68924d269eb85fdfe86f10f314fb9de72fcc572

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 3:09:34 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ProInstall (M)
16.12.5.13

File size:
1.7 MB (1,798,568 bytes)

Product version:
5, 8, 2, 1

Copyright:
Copyright © 2007-2015 GreenTree Applications SRL

Original file name:
ytd.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\greentree applications\ytd video downloader\ytd.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
2/4/2016 2:00:00 AM

Valid to:
12/17/2016 1:59:59 AM

Subject:
CN=ProInstall Applications SRL, OU=iops, O=ProInstall Applications SRL, STREET="Bd Decebal 25-29, Et 10", STREET=Spatiul 9.1 Camera A, L=Bucuresti, S=Sector 3, PostalCode=030964, C=RO

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00C26DB8152C2C739088220ACB2E607997

File PE Metadata
Compilation timestamp:
11/29/2016 7:43:50 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:IM8lmO4yCILAaYX+nB2Uc5MasivEDVSne:IpR46AaYunPB

Entry address:
0xBCA8C

Entry point:
E8, D4, 50, 01, 00, E9, 79, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 00, 01, 00, 00, 72, 0E, 83, 3D, 88, 2A, 53, 00, 00, 74, 05, E9, 86, 51, 01, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7, 01, 83, EA...
 
[+]

Entropy:
6.5251

Code size:
966.5 KB (989,696 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (95.211.187.107:80)

TCP (HTTP SSL):
Connects to cache.google.com  (208.117.230.211:443)

TCP (HTTP):
Connects to a23-14-137-175.deploy.static.akamaitechnologies.com  (23.14.137.175:80)

TCP (HTTP SSL):
Connects to triband-del-59.179.18.15.bol.net.in  (59.179.18.15:443)

TCP (HTTP SSL):
Connects to triband-del-59.179.18.14.bol.net.in  (59.179.18.14:443)

TCP (HTTP SSL):
Connects to triband-del-59.179.18.13.bol.net.in  (59.179.18.13:443)

TCP (HTTP):
Connects to server-54-230-95-157.fra2.r.cloudfront.net  (54.230.95.157:80)

TCP (HTTP):
Connects to server-54-230-163-118.jax1.r.cloudfront.net  (54.230.163.118:80)

TCP (HTTP):
Connects to server-54-192-230-100.waw50.r.cloudfront.net  (54.192.230.100:80)

TCP (HTTP):
Connects to server-52-85-221-80.cdg50.r.cloudfront.net  (52.85.221.80:80)

TCP (HTTP):
Connects to server-52-84-126-71.iad16.r.cloudfront.net  (52.84.126.71:80)

TCP (HTTP SSL):
Connects to mx-ll-110.164.16-83.static.3bb.co.th  (110.164.16.83:443)

TCP (HTTP):
Connects to mx-ll-110.164.16-45.static.3bb.co.th  (110.164.16.45:80)

TCP (HTTP):
Connects to mx-ll-110.164.10-24.static.3bb.co.th  (110.164.10.24:80)

TCP (HTTP SSL):
Connects to mx-ll-110.164.10-17.static.3bb.co.th  (110.164.10.17:443)

TCP (HTTP SSL):
Connects to mx-ll-110.164.10-12.static.3bb.co.th  (110.164.10.12:443)

TCP (HTTP):
Connects to host-213.158.178.94.tedata.net  (213.158.178.94:80)

TCP (HTTP SSL):
Connects to host-213.158.172.204.tedata.net  (213.158.172.204:443)

TCP (HTTP):
Connects to host-105.203.250.37.etisalat.com.eg  (105.203.250.37:80)

TCP (HTTP SSL):
Connects to edge-video-shv-01-fra3.fbcdn.net  (31.13.93.15:443)

Remove ytd.exe - Powered by Reason Core Security