airb6e8.exe

bomlabio

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application airb6e8.exe by bomlabio has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.airdlr8.com.
Publisher:
bomlabio  (signed and verified)

MD5:
3746cb39e4e96273f207e90d368dfef4

SHA-1:
6315726365404f512fa38793b6217d00486b8882

SHA-256:
8804b30815611bad2993b5261723ed7d63f82c9ceae891ffca914107e2429a99

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/23/2024 11:27:19 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

ESET NOD32
Win32/BrowseFox
7.9190

herdProtect (fuzzy)
2013.12.25.23

Malwarebytes
PUP.Optional.Bomlabio.A
v2013.12.22.01

Reason Heuristics
PUP.bomlabio.H
14.8.7.21

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.131220

File size:
198.1 KB (202,832 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\airb6e8.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
8/20/2013 9:00:00 PM

Valid to:
8/20/2015 8:59:59 PM

Subject:
CN=bomlabio, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=bomlabio, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3021C927F812EAA41476FBAB417A4932

File PE Metadata
Compilation timestamp:
12/5/2009 8:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:OLk395hYXJsCUDAMpRenzAXEH/xUiAKQ89anH7l1m/GqMHJGULvN:OQqDUMMszAXMUYYnH7nm/G/Hca

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file airb6e8.exe has been seen being distributed by the following URL.

Remove airb6e8.exe - Powered by Reason Core Security