» airb6e8.exe
Overview
Analysis
File Details
Downloads (1)

airb6e8.exe

bomlabio

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application airb6e8.exe by bomlabio has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.airdlr8.com.

File name:

airb6e8.exe

Publisher:

bomlabio (signed and verified)

MD5:

3746cb39e4e96273f207e90d368dfef4

SHA-1:

6315726365404f512fa38793b6217d00486b8882

SHA-256:

8804b30815611bad2993b5261723ed7d63f82c9ceae891ffca914107e2429a99

Scanner detections:

5 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

11/23/2024 3:46:37 AM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/BrowseFox

7.9190

herdProtect (fuzzy)

variant of illoxum_mg.exe (Adware)

2013.12.25.23

Malwarebytes

PUP.Optional.Bomlabio.A

v2013.12.22.01

Reason Heuristics

PUP.bomlabio.H

14.8.7.21

Rising Antivirus

NS:PUF.SilenceInstaller!1.9DDF

23.00.65.131220

File size:

198.1 KB (202,832 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\temp\airb6e8.exe

Digital Signature

Signed by:

bomlabio

Authority:

VeriSign, Inc.

Valid from:

8/20/2013 9:00:00 PM

Valid to:

8/20/2015 8:59:59 PM

Subject:

CN=bomlabio, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=bomlabio, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

3021C927F812EAA41476FBAB417A4932

File PE Metadata

Compilation timestamp:

12/5/2009 8:50:41 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

3072:OLk395hYXJsCUDAMpRenzAXEH/xUiAKQ89anH7l1m/GqMHJGULvN:OQqDUMMszAXMUYYnH7nm/G/Hca

Entry address:

0x30CB

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

22.5 KB (23,040 bytes)

The file airb6e8.exe has been seen being distributed by the following URL.

http://cdn.airdlr8.com/downloads/offers/.../bomlabio_ai.exe

Remove airb6e8.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.