air2e18.exe

Super Web LLC

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application air2e18.exe by Super Web has been detected as adware by 10 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.airdlr8.com.
Publisher:
Super Web LLC  (signed and verified)

MD5:
2121de64d8c420849d52ef31a7f2e20b

SHA-1:
9434803994ed6861fefdafd21c2232321a75c521

SHA-256:
694f131ffcd35bc3963bda27eb5e6308f55583a7d4a57c0903adf3e8986d1242

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/23/2024 11:14:53 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

AVG
AdInstaller.WebLayers
2014.0.3543

Bkav FE
W32.Clod388.Trojan
1.3.0.4613

Dr.Web
Adware.Shopper.361
9.0.1.0241

ESET NOD32
Win32/BrowseFox
7.9190

McAfee
Artemis!2121DE64D8C4
5600.7181

Reason Heuristics
PUP.SuperWeb.H
14.8.7.20

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.131209

SUPERAntiSpyware
Trojan.Agent/Gen-BHO
10707

Trend Micro House Call
WORM_BAGLE.BMH
7.2.241

VIPRE Antivirus
Yontoo
24866

File size:
170.3 KB (174,384 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\air2e18.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
12/13/2012 4:00:00 PM

Valid to:
12/14/2013 3:59:59 PM

Subject:
CN=Super Web LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Super Web LLC, L=Los Angeles, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4119CF85506B9920A6B0FFA138C96637

File PE Metadata
Compilation timestamp:
12/5/2009 2:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:uLk395hYXJsCoYNVFnDi5qMp5R9anH7l1m/GqMHJGULvWs:uQqDxNzO5TtYnH7nm/G/Hcm

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8675

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file air2e18.exe has been seen being distributed by the following URL.

Remove air2e18.exe - Powered by Reason Core Security