240714_t3.exe

Search Vortex

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application 240714_t3.exe by Search Vortex has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 2ndrequest.me and multiple other hosts.
Publisher:
Search Vortex  (signed and verified)

MD5:
f1c97746e73cb5db531f0de9096fdcbb

SHA-1:
ac419a2d396dc136e0fceab2f3a7bfa348c40258

SHA-256:
bd71da7bb05979e2ba98f5154e2d9e2397e51d8ef42aa5741fd8c713dd4f8770

Scanner detections:
21 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/25/2024 1:57:51 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.BrowseFox.U
827

AhnLab V3 Security
PUP/Win32.BrowseFox
2014.10.31

AVG
Generic
2015.0.3305

Baidu Antivirus
Adware.Win64.BrowseFox
4.0.3.141030

Bitdefender
Adware.BrowseFox.U
1.0.20.1515

Dr.Web
infected with Trojan.BPlug.181
9.0.1.05190

Emsisoft Anti-Malware
Adware.BrowseFox.U
8.14.10.30.07

ESET NOD32
Win32/BrowseFox.C potentially unwanted application
7.0.302.0

Fortinet FortiGate
Adware/BrowseFox
10/30/2014

F-Secure
Adware.BrowseFox.U
11.2014-30-10_5

G Data
Adware.BrowseFox
14.10.24

Malwarebytes
PUP.Optional.BPlug
v2014.10.30.07

McAfee
Artemis!A5496B7F8124
5600.6961

MicroWorld eScan
Adware.BrowseFox.U
15.0.0.909

NANO AntiVirus
Trojan.Win32.BPlug.dfsehz
0.28.6.62995

nProtect
Adware.BrowseFox.U
14.10.30.01

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.SearchVortex.J
14.10.27.19

Rising Antivirus
PE:Trojan.Win32.Generic.178DA965!395159909
23.00.65.141028

Sophos
Generic PUA FF
4.98

VIPRE Antivirus
Threat.4150696
34232

File size:
569 KB (582,704 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\240714_t3.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
10/2/2014 9:00:00 PM

Valid to:
1/12/2015 9:59:59 PM

Subject:
CN=Search Vortex, O=Search Vortex, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
71476B8D983F107DED3C6D8A73EF8C77

File PE Metadata
Compilation timestamp:
12/5/2009 8:52:01 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:sm5vKQCB6b5Yd3S1s15Ap/G/8/3D0Fw/tN8dkmLtpHHHrh7QhxA+OGEWJ6YHOX:sPd3S6j8/z0FmcLbH1Qhx5KWJFuX

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 6F, 44, 00, E8, F1, 2B, 00, 00, A3, 84, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 2E, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file 240714_t3.exe has been seen being distributed by the following 2 URLs.

Remove 240714_t3.exe - Powered by Reason Core Security