airb0ea.exe

PowerfulBrowse

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application airb0ea.exe by PowerfulBrowse has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.airdlr9.com.
Publisher:
PowerfulBrowse  (signed and verified)

MD5:
7d1053aed5d1be3c33852a7c680e267d

SHA-1:
b3bb871f58eebf78a43427319cd8bd4a1a685d8f

SHA-256:
4644a6b7067149be025a29e296a03e85dc852218dc6a4e602c00e5b89a137b6e

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
12/24/2024 3:06:08 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.BPlug.90
9.0.1.0168

McAfee
Artemis!7D1053AED5D1
5600.7096

Reason Heuristics
PUP.PowerfulBrowse.H
14.6.19.23

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.14615

Trend Micro House Call
Suspicious_GEN.F47V0611
7.2.168

File size:
1.5 MB (1,528,504 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\airb0ea.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
3/29/2014 4:30:00 AM

Valid to:
3/30/2015 4:29:59 AM

Subject:
CN=PowerfulBrowse, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=PowerfulBrowse, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
0D18FDCF326B0F33033260BCD44C1918

File PE Metadata
Compilation timestamp:
12/6/2009 2:22:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:JI8NpLlv+yzsN/GBt/ZGEd4MW/u3Wy8ez0yJsebH9vufN4y54q6KB8VtRnHlhB/P:+ytIdEPgE+gmy8ez0A44yanKB8ZXVfc+

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9960

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file airb0ea.exe has been seen being distributed by the following URL.

Remove airb0ea.exe - Powered by Reason Core Security