ytdsetup.exe

YTD Video Downloader

Greentree Applications SRL

The application ytdsetup.exe by Greentree Applications SRL has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This version of the installer will bundle the Ask.com Toolbar, a potentially unwanted web browser extension. The file has been seen being downloaded from files.jalantikus.com and multiple other hosts. While running, it connects to the Internet address www.youtubedownloadersite.com on port 80 using the HTTP protocol.
Publisher:
Greentree Applications SRL  (signed and verified)

Product:
YTD Video Downloader

Version:
4.7.2

MD5:
9b5304aa4e582e7cb8ff74b8ba086907

SHA-1:
9cba4e301a66ad26694f487e183de624f9865147

SHA-256:
bad2f4f30f710595156282f0265d76367383ef628dba3c55f249133d45906d53

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
This is part of a Greentree bundled installer, which includes various adware, toolbars and co-bundled potentially unwanted apps pushed to the user upon setup.

Analysis date:
12/26/2024 1:33:02 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Skodna.Generic_c
2015.0.3564

Bkav FE
W32.Clod6c3.Trojan
1.3.0.4613

Dr.Web
Adware.Downware.1417
9.0.1.0355

ESET NOD32
Win32/Bundled.Toolbar.Ask (variant)
7.9190

Malwarebytes
PUP.Optional.Spigot.A
v2013.12.21.09

McAfee
Artemis!9B5304AA4E58
5600.7275

Reason Heuristics
PUP.Optional.Installer.GreentreeApplicationsSRL.I
14.3.1.16

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.131219

Trend Micro House Call
TROJ_GEN.F47V1210
7.2.355

File size:
11.1 MB (11,616,520 bytes)

Product version:
4.7.2.0.1

Copyright:
Copyright © 2007-2013 GreenTree Applications SRL

Original file name:
Uninstall.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\ytdsetup.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
5/21/2013 2:00:00 AM

Valid to:
7/21/2015 1:59:59 AM

Subject:
CN=Greentree Applications SRL, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Greentree Applications SRL, L=Bucharest, S=Bucharest, C=RO

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
78DC92DC061211DFE51480E9347F91C8

File PE Metadata
Compilation timestamp:
4/10/2010 2:19:31 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
196608:YiivkOE8rMH6oD9EGduEzVFrTn3Am/2moaVvkVAGgLTNQfOCZ1BIFnc7Ae1cHmRy:YRvksgH6oPNBl32mW1gfumWUcksimRy

Entry address:
0x354B

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 84, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, 98, 06, 47, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, 05, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 86, 40, 00, FF, 15, 80, 81, 40, 00, 68, 04, 86, 40, 00, 68, A0, 85, 46, 00, E8, 35, 26, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 10, 4C, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
25 KB (25,600 bytes)

The file ytdsetup.exe has been seen being distributed by the following 3 URLs.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to www.youtubedownloadersite.com  (95.211.187.90:80)

Remove ytdsetup.exe - Powered by Reason Core Security