130214_t2.exe

gooternet

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application 130214_t2.exe by gooternet has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.hakoonportal.net and multiple other hosts.
Publisher:
gooternet  (signed and verified)

MD5:
4b60fc2593e8aa0311f2dbbb85648c31

SHA-1:
7dbca010989e8ae5f07e8dd4a782bda88700c010

SHA-256:
74caa2901ef20507dacf8fdcb5f55e34d4e7cb3e146b4bde50c6b0b074ed16ea

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/4/2024 8:01:08 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2015.0.3399

Clam AntiVirus
Win.Adware.Linkular
0.98/19185

Dr.Web
Trojan.BPlug.100
9.0.1.05190

ESET NOD32
Win32/BrowseFox
8.10158

McAfee
Artemis!4B60FC2593E8
5600.7055

Qihoo 360 Security
HEUR/Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
PUP.gooternet.J
14.7.27.14

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.14726

Total Defense
Win32/Tnega.XcPVJVD
37.0.11083

Trend Micro House Call
Suspicious_GEN.F47V0615
7.2.209

VIPRE Antivirus
Threat.4150696
31208

File size:
462.6 KB (473,720 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\130214_t2.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
3/18/2014 8:00:00 PM

Valid to:
3/19/2015 7:59:59 PM

Subject:
CN=gooternet, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=gooternet, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6833AE314355006DDCB1CFFFFA2C185E

File PE Metadata
Compilation timestamp:
12/5/2009 7:52:01 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:LJXo4s2nb1s15AB/G/8/3D0Fw/tN8dkmLtpHHHrh7P:L1o41nb6F8/z0FmcLbH1P

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 6F, 44, 00, E8, F1, 2B, 00, 00, A3, 84, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 2E, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file 130214_t2.exe has been seen being distributed by the following 5 URLs.

http://www.hakoonportal.net/.../310714_t2.exe

http://www.2ndrequest.me/.../240714_t2.exe

Remove 130214_t2.exe - Powered by Reason Core Security