» ytdsetup.exe
Overview
Analysis
File Details
Downloads (18)
Network (2)

ytdsetup.exe

YTD Video Downloader

Greentree Applications SRL

The application ytdsetup.exe by Greentree Applications SRL has been detected as a potentially unwanted program by 24 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from www.ytddownloader.com and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.

File name:

ytdsetup.exe

Publisher:

Greentree Applications SRL (signed and verified)

Product:

YTD Video Downloader

Version:

5.1.1

MD5:

ca9daa8d52228ba6a8a12b3b4fdd0b9a

SHA-1:

8b911f65bbb0d1a34c61db42f9d0dbb9558b8e73

SHA-256:

13d82b2a1cf15e60aae5bd1861cd340c31db00fb4c820d7fa230956b6d6d564c

Scanner detections:

24 / 68

Status:

Potentially unwanted

Explanation:

This is part of a Greentree bundled installer, which includes various adware, toolbars and co-bundled potentially unwanted apps pushed to the user upon setup.

Analysis date:

2/26/2025 3:46:49 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Adware-gen [Adw]

2014.9-160204

AVG

Downloader

2017.0.2844

Baidu Antivirus

Adware.Win32.AskToolbar

4.0.3.1624

Bkav FE

W32.HfsAdware

1.3.0.6979

Comodo Security

ApplicUnwnt

19644

Dr.Web

Adware.Downware.10873

9.0.1.035

ESET NOD32

Win32/Bundled.Toolbar.Ask.G potentially unsafe (variant)

10.11871

Fortinet FortiGate

Riskware/Ask

2/4/2016

G Data

Win32.Adware.Spigot

16.2.24

IKARUS anti.virus

PUA.Offer

t3scan.1.9.5.0

K7 AntiVirus

Trojan

13.183.13504

Kaspersky

not-a-virus:AdWare.MSIL.RocketTab

14.0.0.713

Malwarebytes

PUP.Optional.APNToolBar.A

v2016.02.04.11

McAfee

Artemis!8A5AE67E0CA6

5600.6500

NANO AntiVirus

Trojan.Win32.Downware.ctuoeb

0.28.0.59048

Panda Antivirus

Trj/Chgt.E

16.02.04.11

Qihoo 360 Security

HEUR/Malware.QVM06.Gen

1.0.0.1015

Quick Heal

AdWare.MSIL.g6 (Not a Virus)

2.16.14.00

Reason Heuristics

Win32.Generic

16.2.4.11

Rising Antivirus

PE:Trojan.Win32.Generic.172F5263!388977251

23.00.65.16202

Trend Micro House Call

TROJ_GEN.R047H07HS14

7.2.35

Vba32 AntiVirus

Backdoor.Sinowal

3.12.26.4

VIPRE Antivirus

Trojan.Win32.Generic

31108

Zillya! Antivirus

Adware.RocketTab.Win32.32

2.0.0.1936

File size:

10 MB (10,496,520 bytes)

Product version:

5.1.1.0.1

Original file name:

Uninstall.exe

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

English (United States)

Digital Signature

Signed by:

Greentree Applications SRL

Authority:

Symantec Corporation

Valid from:

6/16/2015 5:30:00 AM

Valid to:

8/15/2017 5:29:59 AM

Subject:

CN=Greentree Applications SRL, O=Greentree Applications SRL, L=Bucharest, S=Bucharest, C=RO

Issuer:

CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:

65DB5B5BDFCE9083EDF79253BABF4963

File PE Metadata

Compilation timestamp:

2/25/2012 12:49:59 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

196608:ng5p+TrKBaG5Rj9Pg32qjVFDzASwF1Y4hMtR4ZhxmN:ukKMMfPxKPzASwFa4KtexM

Entry address:

0x39E3

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00... 
[+]

Entropy:

7.9992

Packer / compiler:

Nullsoft install system v2.x

Code size:

28 KB (28,672 bytes)

The file ytdsetup.exe has been seen being distributed by the following 18 URLs.

http://www.ytddownloader.com/.../stub.php

http://d2ghfsky6vow5m.cloudfront.net/4qpxJYS37_HKr2e4aP04Bf9TjVtDi4OBfro2hVWeRdA

http://www.vaultsheadcentral.com/WVl6OTRQVGhWUWs5bGRYVmxRM0JXUjJaSVVERmliakpZSlRKQ01UZDBaRXhLWW1SdmFqTndXVXR5V1Vwb0pUSkNWV0UwSlRORUptTTlVMUZxYWpoM2MxUk1abWhCTTJKeVNpVXlRamRRVEVscFpHZHZOM1ZEVUZjbE1rSTVOR3RLVnpSWlVrbzFUMEUwTmxVMlp6bHdaRkJrVEhCNlozRlBWakI2WVZsU2NGRkZla1k0WTIxNVpXWnVPSGxyVlhaeGIyaG1TR2RxUzJsVVRVRjBkMGh1Ym10TGVUWnpiMW93VHpScmVqQkpURzR6SlRKR1IyWjFPVEE1UjBReEpUSkNKVEpDSm1SdmQyNXNiMkZrUVhNOWVYUmtMWFpwWkdWdkxXUnZkMjVzYjJGa1pYSXROUzQxTGpFMUxtVjRaU1ptWVd4c1ltRmphMTkxY213OWFIUjBjQ1V6UVNVeVJpVXlSbkJtTG1KbGJtcGhiV2x1YzNSeVlXaHpMbU52YlNVeVJuTWxNa1l4TkRVM05EUTVNak00SlRKR1pXNGxNa1k1SlRKR05pVXlSamsyTVRNM05DMHhPREE1TVRReExYbDBaQzEyYVdSbGJ5MWtiM2R1Ykc5aFpHVnlMbVY0WlE9PQ==

http://d1vdt3k7hski9t.cloudfront.net/kits/.../YTDSetup.exe

http://www.cleandeliverytour.com/c?x=DH6nnWQDvt63rjX5J3/FEuf0Vd BenFXU/CvpBgacmU=&c=tpkVOUgKAITENpFtFGxpuu0uzb/qD1TKyvd7Z yOH1dVlmLW9WtcdewpWdoHS2E02mkP9iFhKMyZsIgd/3z/LlbNuozBH9pkjdp4eK9oe9V1NtUzpSjIEgTMEm3MCQL0QhhgngOf7JSXvQ9Rt1Q91PP oNBmzcquAIj9zxbEJulzxRxaYLOenx0sR0Zd9BNf&e=0&downloadAs=ytd-video-downloader-5.5.15.exe&fallback_url=http://pf.benjaminstrahs.com/s/1459840814/en/9/.../961374-1809141-ytd-video-downloader.exe

http://www.youtubedownloadersite.com/installers/.../YTDSetup.exe

http://www.downloadappsbinaries.com/c?x=ZyRDAx 3UJUxqbeIjFXoosb9Sh7EE6zqm3wbOQ9gj5E=&c=vwTzFPZ9U/sxm0DOIUtT1pzmPXfUrRmgmfN2aKnx8WZyOWoLrR8JF9S5L4LLy6byW/NhOA U REPUJrN3Fikr9ipE I3rKYwkpKx/7o65ZzaFFoKZymoMdZM7 bnr8we&downloadAs=ytd-video-downloader-5.5.15.exe&fallback_url=http://pf.benjaminstrahs.com/s/1459102576/en/9/.../961374-1809141-ytd-video-downloader.exe

http://www.vaultsheadcentral.com/c?x=VITBBiZKKDy/HaHTjjRofmiIdXiAMoablPcYmgTQUFI=&c=nG3dtZdbBIGQ3mlCOoo/NxvbJRJdXkKYQRlFx/gW/ixPAC8OXaY PkzJWSKFgPCnJXp0I/xMlcgwNe DOWGRV1219dI2MRVotH8MJYz X1VJEuEn1ERZCMBtRZk LLlFSKNaVSHGxnDjFFT RleI0inHHF8lbblU512lhCfewMpXbeIX4Yy7kmI0GXwSXkX&e=0&downloadAs=ytd-video-downloader-5.5.15.exe&fallback_url=http://pf.benjaminstrahs.com/s/1458474992/en/9/.../961374-1809141-ytd-video-downloader.exe

http://www.vaultsheadcentral.com/c?x=kaHDsb0e2sbrTw n0mMCBTVQehh57 x wPMhN2NCzu4=&c=hvsW1RtV/Ni7lzk9C185 ewYJw6F2EtJ4cb0yHKJhSbYY5xmjDuBYpf1QO7N8WWA6rpSjIyZ1BEvBalU9e7UYtPBInftE/umU0A4bgUg4pdbt6/lGh11i8RnjyDD1yWqD6wtlUqWjZa1qH3Lsqj6zp5xLQbvAtIbrgL59o/7odS8WLPT9YcFF0sWXYf6dWKO&e=0&downloadAs=ytd-video-downloader-5.5.15.exe&fallback_url=http://pf.benjaminstrahs.com/s/1458655941/en/9/.../961374-1809141-ytd-video-downloader.exe

http://d3876fpuz5dglk.cloudfront.net/kits/.../YTDSetup.exe

http://www.vaultsheadcentral.com/c?x=MpnjO228fzGB4kBoGd48BxGSAeywyDCAS3i2JbedCSQ=&c=/3LVTLE5KZHz6QRMuqdtm8wRQyCek5M fqPzrCv2glDSzTOsK4IJICydg/TwDGMG7BJxTh4H2Q0gR6Kn2kRyNNdlUINH2ZedScG06EriZHHiV1K1dxwI0qeMFw1ZF3Rt7HDdIPEgN1u wy6y8dIhmMaJd0DSjcAiAXTDNTdJ2RY=&e=0&downloadAs=ytd-video-downloader-5.5.15.exe&fallback_url=http://pf.benjaminstrahs.com/s/1458413511/en/9/.../961374-1809141-ytd-video-downloader.exe

http://www.vaultsheadcentral.com/WVl6OTRQVmg1TWxCWFpEYzJNV28xSlRKQ1RFcHhja1p4VVVjMmR6WnFXRFJzZUhKSlVHUXliVVZSWTNsU1REZHRSU1V6UkNaalBUUk1SR3htUTA1c2FVVllZa3BMUW04eGFqQndKVEpDUkV4cU1tOVdWM1pSVEc5TGF6TXhibEJaYkRkWVZWTjNZVVZxTVhKSlJtSndTbWhyUjBScVREWnROM1E0VEVwalZ6QTRSek5LY2t4NlpFZHBOVkJUVEhWMlZVbHZkMVJNTlU1WU9VSkhaWFZ5ZEc5UFVGUnlaVGRKVkRsSlMyRmtlRlJRYXpSSVNrdzFiSE5tWmpCNFNsaEViMEUxTTFrMVREY2xNa1o0U1V0Mk5tY2xNMFFsTTBRbVpUMHdKbVJ2ZDI1c2IyRmtRWE05ZVhSa0xYWnBaR1Z2TFdSdmQyNXNiMkZrWlhJdE5TNDFMakUxTG1WNFpTWm1ZV3hzWW1GamExOTFjbXc5YUhSMGNDVXpRU1V5UmlVeVJuQm1MbUpsYm1waGJXbHVjM1J5WVdoekxtTnZiU1V5Um5NbE1rWXhORFU0TWpNeU9USXdKVEpHWlc0bE1rWTVKVEpHTmlVeVJqazJNVE0zTkMweE9EQTVNVFF4TFhsMFpDMTJhV1JsYnkxa2IzZHViRzloWkdWeUxtVjRaUT09

http://d3876fpuz5dglk.cloudfront.net/installers/.../YTDSetup.exe

http://gsf-cf.softonic.com/48c/249/.../YTDSetup.exe

http://d3876fpuz5dglk.cloudfront.net/installers/.../YTDSetup.exe

http://gsf-cf.softonic.com/2fa/274/.../YTDSetup.exe

http://d3876fpuz5dglk.cloudfront.net/installers/.../YTDSetup.exe

http://d3876fpuz5dglk.cloudfront.net/kits/.../YTDSetup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to 14.d7.24ae.ip4.static.sl-reverse.com (174.36.215.20:80)

TCP (HTTP):

Connects to hosted-by.leaseweb.com (95.211.187.107:80)

Remove ytdsetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.