ytdsetup.exe

YTD Video Downloader

GreenTree Applications srl

The application ytdsetup.exe, “YTD Video Downloader stub installer” by GreenTree Applications srl has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from d1xwl5njfl9nht.cloudfront.net and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.
Publisher:
GreenTree Applications srl  (signed and verified)

Product:
YTD Video Downloader

Description:
YTD Video Downloader stub installer

Version:
5.8.0.3

MD5:
f6dbeeac67e2ad92185c11799f39171b

SHA-1:
ebe295dfe66b7f9d7a017aca3a523af9114fcfa5

SHA-256:
7a4db8ed40ef5fe1fb081ce34e141f2cfa68fafaaaeeab04549ed89028894df4

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
This is part of a Greentree bundled installer, which includes various adware, toolbars and co-bundled potentially unwanted apps pushed to the user upon setup.

Analysis date:
12/25/2024 2:13:39 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.GreenTree (M)
16.8.25.15

File size:
115.9 KB (118,728 bytes)

Product version:
5.8.0.3

Copyright:
(c) 2016 GreenTree Applications SRL. All rights reserved.

Original file name:
YTDStub.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\ytdsetup.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
7/27/2016 2:25:38 PM

Valid to:
11/18/2016 9:02:14 PM

Subject:
CN=GreenTree Applications srl, O=GreenTree Applications srl, L=Bucuresti, C=RO

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00B06D48A15E485DEF

File PE Metadata
Compilation timestamp:
2/25/2012 12:49:59 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
1536:dVdePelp2Xy+tuQOzOYE5aXPnD68gkW+RoeGd8yNkM/Dk22WbCwF8B5HyTWBCIb2:GweqOYEUXPnD7Ozd8yNka9bCt5kYCoDi

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.0223

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file ytdsetup.exe has been seen being distributed by the following 29 URLs.

http://d1xwl5njfl9nht.cloudfront.net/tuXIa1CC_dL4R_VTVrpsig1yNUogAfMSl1zem3ebP5c

http://d2gauv5n8uamev.cloudfront.net/2liFxEIupVZGj6H7znlcj2xH-vZbg_IKtasH2DefLtg

http://d3gacgk524tn6x.cloudfront.net/vkElnoSC4CvzxlVKF1yVA01lI3sid157MRgqc79qsBs

http://dam5hrdsve471.cloudfront.net/YfZahZ9a6vUDPY22kduRLZgPJe1zMBQU7byVQQlldok

http://d23g9yv0hczani.cloudfront.net/puApKN-4u07GR5nMap0UARMnejecUg7yCEBUkG_Epac

http://d842fed4iosly.cloudfront.net/aQnHryTx5dtaVTmQsGvoT7l2ot14CJK4dbfEQseZabA

http://d3bloyr2991w2f.cloudfront.net/K57TDf6DIwvWaoLep6i3im0PE5mDFTo7SEtsvxJYshg

http://d6qpl3kt25h85.cloudfront.net/vVA8xR61jrVQbSyHizVIEQI1Nu3HV0Q2ftj9XrHfgY0

http://d3hl3efmgsnyj2.cloudfront.net/wxej0AMJNrdwLuCyv5fVLD0Y2HXzQimYGuaf7U1I7oQ

http://d1x6xleh060diz.cloudfront.net/1bBhy3xbaGtDfCkOVw7aYUKCDUl15Or24jrfANNjY5I

http://dns4dn4nz3yg3.cloudfront.net/8OSKlgmN9wrmvJRTP-EDHThT8anRYjTNQa6bRWFvgNA

http://d23g9yv0hczani.cloudfront.net/_dY06mcveTJrh5wk6adceERfJ2lf0cYqZHQERp86m2U

http://d1uoealdjvjmrn.cloudfront.net/oed6XIz8Uu93QxRPjBM-9UbcjMNPXQrOFb_C9jm9ikg

http://dkzkq8nwue9oc.cloudfront.net/veKKN5Mh9hZtfTRxPU2cbGKZsfVKjIY5VlCdxBalZls

http://d6qpl3kt25h85.cloudfront.net/MYtSPVV7RwP_9YOwupwmpF-3HiePT_SEUUlbORC9imE

http://d2efxf0p8bjwcv.cloudfront.net/7dbWsc7sLSMG9SDdd7tm0Z2ZqHco9KUG7wPQAAXBIHg

http://d3ewvtvt8ryc5s.cloudfront.net/Dxl0LPUGxGvzXiKNtcpKM4QE-YYZ7FVpjGkPKu7Sj4k

http://d298ptbf5fwvoa.cloudfront.net/BJFccYlV8lasqdtGdMfQzdbNSRCc3QBc28TERuu4GS4

http://www.youtubedownloadersite.com/.../stub.php?alt

http://d23g9yv0hczani.cloudfront.net/C26veDi0htIidqBRR9dSZ300zE-v7S3K43NuJhCdiGI

http://d2iy337908xar4.cloudfront.net/5GpWi3adPat6YHKtxvizXlfxUMYRVtgUGstv0GwTsbU

http://d31wrbgzbr1n3o.cloudfront.net/GUas6SGSQKU4g-1rRj3RvlfthyrEn9E_iGPfEIZYIm4

http://d23g9yv0hczani.cloudfront.net/rfe0XY6Zw0C3lEmJDCrI9JmYPgZ7KkqdlcjMW7h3LR0

http://d2xrwb89snpnz3.cloudfront.net/bMNw0fTjDRXKLO1pAiv-3vRzzxWfAr-Ava0VsLm322I

http://d2txxkspnnu6az.cloudfront.net/OdZuCReNoJoUOSAKBSFe366Raak-mjHPA7VeJHVrSKA

http://d336spn1hosdog.cloudfront.net/zaeuCi5oalmK8B_m_QW5Ppt3LEDy0n1m4_56uEV1rmw

http://dc7c3mom7djtj.cloudfront.net/O_E7ZEtSIwf9NwcPyPGn3kHDkjgV2pxQRnaHuS6osVA

http://d3fqiipg418x5c.cloudfront.net/FVuXwdFh2onGCVO1lwzLyrsmxAk6DaS1VtiAT1EymJM

http://www.programosy.pl/.../pobierz,youtube-downloader,2.html

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (5.79.67.111:80)

Remove ytdsetup.exe - Powered by Reason Core Security