793485a.tmp

Yontoo

Yontoo LLC

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file 793485a.tmp by Yontoo has been detected as adware by 10 anti-malware scanners. It is also typically executed from the user's temporary directory.
Publisher:
Yontoo LLC  (signed and verified)

Product:
Yontoo

Description:
Installer

Version:
2012.10.23.1734

MD5:
3a410888de3f72d7d5be4ff073df6c94

SHA-1:
3cddbacf54168fe45b2300f9def9bdc82012b798

SHA-256:
d524355d36c195cf33c08d522b39146e2bc12b960ee99ad5c9a1a26e0c78ab15

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
11/14/2024 9:04:27 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/Yontoo.Gen
7.11.97.22

Comodo Security
UnclassifiedMalware
16780

Dr.Web
Adware.Siggen.24249
9.0.1.0343

ESET NOD32
Win32/Adware.Yontoo (variant)
8.8697

IKARUS anti.virus
AdWare.Yontoo
t3scan.2.0.127

NANO AntiVirus
Trojan.Win32.Siggen.bjpwsz
0.26.0.53954

Reason Heuristics
PUP.Installer.Yontoo.K
14.12.9.20

Rising Antivirus
Trojan.InstallRex!562A
23.00.65.141207

Trend Micro House Call
TROJ_GEN.RCBH1JV
7.2.343

VIPRE Antivirus
Yontoo
20592

File size:
1 MB (1,062,584 bytes)

Product version:
1.10.03

Copyright:
Copyright (c) 2012 Yontoo LLC. All rights reserved.

Language:
Turkish (Turkey)

Common path:
C:\users\{user}\appdata\local\temp\793485a.tmp

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
12/7/2011 2:00:00 AM

Valid to:
12/7/2012 1:59:59 AM

Subject:
CN=Yontoo LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Yontoo LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4F8617352536F013088C9B5533AA4440

File PE Metadata
Compilation timestamp:
3/11/2011 4:55:32 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:2tKWRpNxTWKEC6gfY/NonIdnkiNKUSvAsBi+7OZSz:qKGNxTJLICcKTvAsBibg

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

Remove 793485a.tmp - Powered by Reason Core Security