ytd.exe

YTD Video Downloader

ProInstall Applications SRL

The application ytd.exe by ProInstall Applications SRL has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.
Publisher:
GreenTree Applications SRL  (signed by ProInstall Applications SRL)

Product:
YTD Video Downloader

Version:
5, 8, 1, 3

MD5:
82cda60b6f1a040588e70bb9de23fb3f

SHA-1:
9a3a680d08c9a471fcfc40173d826a7fdd7ca3a3

SHA-256:
2dbb4c42bbf4e0087f961a94f4557d7d4ace21adc8f9e3ab7d69b0e01b66003a

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/15/2024 3:08:53 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ProInstall (M)
16.11.24.17

File size:
1.7 MB (1,789,352 bytes)

Product version:
5, 8, 1, 3

Copyright:
Copyright © 2007-2015 GreenTree Applications SRL

Original file name:
ytd.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\greentree applications\ytd video downloader\ytd.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
2/4/2016 1:00:00 AM

Valid to:
12/17/2016 12:59:59 AM

Subject:
CN=ProInstall Applications SRL, OU=iops, O=ProInstall Applications SRL, STREET="Bd Decebal 25-29, Et 10", STREET=Spatiul 9.1 Camera A, L=Bucuresti, S=Sector 3, PostalCode=030964, C=RO

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00C26DB8152C2C739088220ACB2E607997

File PE Metadata
Compilation timestamp:
11/24/2016 1:26:29 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:8HQQ67z9/Cvi9dXW1U1yhKsEvOZi5QHIs:8Hkt9dXW1UNs

Entry address:
0xBADFC

Entry point:
E8, CD, 50, 01, 00, E9, 79, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 00, 01, 00, 00, 72, 0E, 83, 3D, 28, FA, 52, 00, 00, 74, 05, E9, 7F, 51, 01, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7, 01, 83, EA...
 
[+]

Code size:
959 KB (982,016 bytes)

The file ytd.exe has been seen being distributed by the following URL.

temp:ytd.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (95.211.187.107:80)

TCP (HTTP SSL):
Connects to bzq-179-17-145.cust.bezeqint.net  (212.179.17.145:443)

TCP (HTTP SSL):
Connects to bzq-179-154-208.pop.bezeqint.net  (212.179.154.208:443)

TCP (HTTP SSL):
Connects to bzq-179-154-205.pop.bezeqint.net  (212.179.154.205:443)

TCP (HTTP):
Connects to a23-57-229-163.deploy.static.akamaitechnologies.com  (23.57.229.163:80)

TCP (HTTP):
Connects to a104-117-75-72.deploy.static.akamaitechnologies.com  (104.117.75.72:80)

TCP (HTTP SSL):
Connects to tw194-static206.tw1.com  (110.93.194.206:443)

TCP (HTTP SSL):
Connects to tw194-static205.tw1.com  (110.93.194.205:443)

TCP (HTTP SSL):
Connects to tw194-static204.tw1.com  (110.93.194.204:443)

TCP (HTTP SSL):
Connects to tw194-static14.tw1.com  (110.93.194.14:443)

TCP (HTTP SSL):
Connects to tw194-static13.tw1.com  (110.93.194.13:443)

TCP (HTTP SSL):
Connects to tw194-static12.tw1.com  (110.93.194.12:443)

TCP (HTTP SSL):
Connects to TIG-Net17-146.trueintergateway.com  (27.123.17.146:443)

TCP (HTTP SSL):
Connects to static.khi77.pie.net.pk  (221.120.207.18:443)

TCP (HTTP):
Connects to server-54-230-95-35.fra2.r.cloudfront.net  (54.230.95.35:80)

TCP (HTTP):
Connects to server-54-230-150-140.sin2.r.cloudfront.net  (54.230.150.140:80)

TCP:
Connects to proxy-52.unisa.ac.za  (163.200.101.52:3128)

TCP (HTTP SSL):
Connects to host-213.158.178.16.tedata.net  (213.158.178.16:443)

TCP (HTTP SSL):
Connects to edge-video-shv-01-sin6.fbcdn.net  (157.240.7.21:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-kut2.facebook.com  (157.240.10.35:443)

Remove ytd.exe - Powered by Reason Core Security