ytdsetup.exe

YTD Video Downloader

GreenTree Applications srl

The application ytdsetup.exe, “YTD Video Downloader stub installer” by GreenTree Applications srl has been detected as a potentially unwanted program by 18 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from d2dvqv1p6o0grd.cloudfront.net and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.
Publisher:
GreenTree Applications srl  (signed and verified)

Product:
YTD Video Downloader

Description:
YTD Video Downloader stub installer

Version:
4.9.2.3

MD5:
69dfeaa46b8b0f3d0e9ba8043175a2a2

SHA-1:
48c2499a4ae32eabb902486e9f9e6a45575f5080

SHA-256:
32f7c93c66e5da4e132e5549dcd041bd94a12626f5b3c372aaaada0ac3278e8f

Scanner detections:
18 / 68

Status:
Potentially unwanted

Explanation:
This is part of a Greentree bundled installer, which includes various adware, toolbars and co-bundled potentially unwanted apps pushed to the user upon setup.

Analysis date:
11/2/2024 3:20:16 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/Widgi.102704.2
8.3.1.6

avast!
Win32:PUP-gen [PUP]
2014.9-151106

Baidu Antivirus
PUA.Win32.Toolbar
4.0.3.15116

Bkav FE
W32.HfsAdware
1.3.0.7383

Dr.Web
Adware.Downware.10873
9.0.1.0310

ESET NOD32
Win32/Toolbar.Widgi potentially unwanted
9.11444

G Data
Win32.Adware.YTDownloader
15.11.25

K7 AntiVirus
Adware
13.205.16545

Kaspersky
not-a-virus:HEUR:Downloader.Win32.Generic
14.0.0.1161

McAfee
Artemis!4EC0C81186BF
5600.6589

NANO AntiVirus
Riskware.Win32.AdLoad.dxemmd
0.30.26.4437

Panda Antivirus
Generic Suspicious
15.11.06.05

Quick Heal
Downloader.Generic.r5 (Not a Virus)
11.15.14.00

Reason Heuristics
Win32.Generic.GreenTreeApplicationssrl.Installer.Meta
15.11.6.17

SUPERAntiSpyware
PUP.YTD/Variant
9524

Trend Micro House Call
TROJ_GEN.R0C1H07CH15
7.2.310

VIPRE Antivirus
Trojan.Win32.Generic
42624

Zillya! Antivirus
Adware.Toolbar.Win32.343
2.0.0.2286

File size:
115.9 KB (118,728 bytes)

Product version:
4.9.2.3

Copyright:
(c) 2015 GreenTree Applications SRL. All rights reserved.

Original file name:
YTDStub.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\ytdsetup.exe

Digital Signature
Authority:
Starfield Technologies, Inc.

Valid from:
2/17/2015 9:55:38 AM

Valid to:
11/18/2015 10:32:14 AM

Subject:
CN=GreenTree Applications srl, O=GreenTree Applications srl, L=Bucuresti, C=RO

Issuer:
CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00C427DA8891A2EF29

File PE Metadata
Compilation timestamp:
2/24/2012 2:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:CweqOYEUXPnD7Ozd8yNkaqJC94na4fWT9b9:/EUXb6yyKanl4fw9b9

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.0231

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file ytdsetup.exe has been seen being distributed by the following 50 URLs.

http://d2dvqv1p6o0grd.cloudfront.net/Ep6Is-z5URr8eULjNgHgeBPnzCng57azI5xluBWfZ6Q

http://d26pznd2butlc3.cloudfront.net/-dVNFfkrw2LHiTf9wCu1nrx-C7yfr_x5buuf7P7aTfE

http://dw1dz03mith3v.cloudfront.net/_Qlu4dl_QX-y2xJqOiSR_Ar6yfK8EKeU4yH8gopCnIc

http://dw1dz03mith3v.cloudfront.net/d8Kq2SQnZuuDmccd6aQAX1mQPcfkYl_SJJRy1Zt2n3Q

http://d4eee3wjl1xm9.cloudfront.net/ikbpBPh-Z8AJSa35ZDaOXh8r6A4Y63m-Nh0W__RxxeM

http://d2v0vc22bjq1vr.cloudfront.net/5nhx34Ec3yhXsHFCkyQMel41w_X5Rir6ERQT7d2nfgs

http://dzq5j7b3b3f39.cloudfront.net/JzPW8FsxrW5umP7jhMVPnCezJYhnqgcff63cD9OgvDI

http://dt55ivkjb4euu.cloudfront.net/UD5VMYpBHec1DukrvrG6dDl-zsPletkQz-3LYn87J3M

http://d1e8sefdakj1dj.cloudfront.net/TXBnt2OvhhYA33FDOGAuDTc0YQjIeU7lB0glopBbbqQ

http://d45k1lhov7jdm.cloudfront.net/5bDSpngR9KrbaXypk_deus8JF3c7lDVWWWPyBORTxXo

http://d34a5ggxl831lg.cloudfront.net/EgoYDElIhHWn1mcwbWO_q3PA5gXp5ZcO4B5XTqrL01c

http://dw1dz03mith3v.cloudfront.net/WNQBg_T4LWxjmucobIJ1sQ3WaIyh8tFoJCAFYnC41Yc

http://d1wvl87mwl2678.cloudfront.net/TgWAvLKWZ031TvRYnhqsA25zZPCuM52DkVpTeMQ4t50

http://d11kc8rtigqjh1.cloudfront.net/uMllYOaH_r1ZsLpvEk7_idZikQmNyIy0vWzufImGepI

http://d2ydw7h71gpcvr.cloudfront.net/lJfr7fVJOgOdlS6El0Mztt4_K1sLN_lNDFIZNCeRibI

http://d2x1lfl8oiiua5.cloudfront.net/uKyVuAc2MFH_zY5XGDakiw01Jx1TG3q7BvlTHW71b1U

http://d2mscccgvz2b3v.cloudfront.net/EBStPI3maIBF0_TVj79DSvd_nJrLJUJFsKXbYgGx-B4

http://d2iwlsjfsno3ya.cloudfront.net/yK0mZ-H6zyIhHBO_IWPv4x9AhPHxEkQWz_V-tds-pe4

http://dfz7glnzr5zbm.cloudfront.net/MSejSQBeUwvTRO2jIuAmCacKqB0JrFKigYkjmfanBUA

http://d1w4o6gw36etpt.cloudfront.net/nGQVwd4Lt2IeeAfsYvrD3v9tOg6lR5_wROmS4YBwHXg

http://d835ud54effsc.cloudfront.net/gjAimlg2dNdKe9olgIeXLhfUj0J-tbPDZUOpEYuKAJQ

http://d2a93ghazmt2qx.cloudfront.net/PgXb_0twzORTUYR6EwItMCo6yKoRsDQIcRsbD8Kl46U

http://dw1dz03mith3v.cloudfront.net/9R8JZPhtpQDP-FO0A0h8R9ZikQmNyIy0vWzufImGepI

http://d1owbik8ha1rj1.cloudfront.net/PmXZgJZqNX8-wHZCTQo7ORVktw0gVBIRi2jMFtFekYo

http://dqlhzgliiwmch.cloudfront.net/w0oCut76OnmZOti_PV7mBNiynk8sufLkhOEhZZmLuGc

http://dw.cbsi.com/redir?ttag=restart_download_click&ptid=3001&pagetype=product_pdl&astid=2&edid=3&tag=link&siteid=4&destUrl=&onid=2071&oid=3001-2071_4-10647340&rsid=cbsidownloadcomsite&sl=en&sc=us&topicguid=internet/dl-managers&topicbrcrm=&pid=13941183&mfgid=6291469&merid=6291469&ctype=dm&cval=NONE&devicetype=desktop&pguid=418cda5985ddd488234a46a0&viewguid=TZvBfyAmyeUvYrO3CCP0G1O8IQgsTBhrhK86&destUrl=http://www.youtubedownloadersite.com/.../ytdcnet.php

http://d1yef8gihaeuhp.cloudfront.net/X5cPSsgAxGzVKHUYSa5edePkQj0NxJ9nGPgw0o-4Kvk

http://d323ugtbgvm05h.cloudfront.net/hj-Z9W4F2yvyZU3Mu2qs-KyuYk1r_sQRu6oRs1gGpIk

http://d2vrtkk433mkdk.cloudfront.net/njkoBQP6W67gKayrSVSYDd9Y4WFgmYBQIuL8PDQD-gI

http://d2wvye1b3cgzw1.cloudfront.net/IPFs54ERriRuCAdMZ1-7hm0PE5mDFTo7SEtsvxJYshg

Latest 30 of 327 download URLs

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (5.79.67.111:80)

Remove ytdsetup.exe - Powered by Reason Core Security