1_offer_12.exe

snipsmart

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application 1_offer_12.exe by snipsmart has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from dl1.downserver5.com and multiple other hosts.
Publisher:
snipsmart  (signed and verified)

MD5:
8cae8fe9cce3a650278e0e9eff03eee9

SHA-1:
f9f2a269ad5cfc79c7f9f917e0794c439ac00ba1

SHA-256:
1172cd00fe360d0d4656d710c95627a6967ee22a5d3450a0e345d37213ffc109

Scanner detections:
8 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/25/2024 1:49:58 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.14829

Dr.Web
Trojan.BPlug.181
9.0.1.0241

ESET NOD32
Win32/BrowseFox
8.10337

McAfee
Artemis!8CAE8FE9CCE3
5600.7023

Qihoo 360 Security
HEUR/Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
PUP.snipsmart.K
14.8.30.16

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.14827

Trend Micro House Call
Suspicious_GEN.F47V0826
7.2.241

File size:
569 KB (582,648 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\1_offer_12.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
8/4/2014 8:00:00 PM

Valid to:
8/5/2015 7:59:59 PM

Subject:
CN=snipsmart, O=snipsmart, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
44017A0654590E4048857CE5A4A44F1A

File PE Metadata
Compilation timestamp:
12/5/2009 5:52:01 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:qe3aTpUG1s15Ap/G/8/3D0Fw/tN8dkmLtpHHHrh7RItT024RYke18v:qIgv6j8/z0FmcLbH1RIt3G61w

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 6F, 44, 00, E8, F1, 2B, 00, 00, A3, 84, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 2E, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9811

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file 1_offer_12.exe has been seen being distributed by the following 3 URLs.

Remove 1_offer_12.exe - Powered by Reason Core Security