constasurfsetup.exe

ConstaSurf

This is the installer and setup program from the ConstaSurf branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating Windows service that will update the software with additional features. The application constasurfsetup.exe by ConstaSurf has been detected as adware by 10 anti-malware scanners. The program is a setup application that uses the Nullsoft Scriptable Install System installer.
Publisher:
ConstaSurf  (signed and verified)

MD5:
a109c58023e9164f9d3d0e35c8e402a0

SHA-1:
dad6499177be4da37b63513b54cb2bf173f919f5

SHA-256:
4cd532a179fdf8676a3091d0608f7a5710e5ec9ace2f45567528ea76aae5c49f

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
12/24/2024 12:12:35 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Patched-JI
150717-0

Dr.Web
Trojan.Yontoo.1734
9.0.1.05190

Emsisoft Anti-Malware
Win32.SlugIn
11.5.0.6191

ESET NOD32
Win32/Slugin.A virus
8.0.319.0

F-Prot
W32/Slugin.B
4.6.5.141

Kaspersky
Virus.Win32.Slugin
15.0.0.562

McAfee
Virus.W32/Wplugin
18.0.204.0

Microsoft Security Essentials
Threat.Undefined
1.219.485.0

Norman
Win32.SlugIn.A
02.04.2016 17:35:19

Reason Heuristics
PUP.Yontoo.ConstaSu.Installer (M)
16.5.2.15

File size:
555.1 KB (568,395 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Scriptable Install System

Common path:
C:\Documents and Settings\{user}\Local settings\temporary internet files\content.ie5\{random}\constasurfsetup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
3/19/2014 12:00:00 AM

Valid to:
3/19/2015 11:59:59 PM

Subject:
CN=ConstaSurf, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=ConstaSurf, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
46A82C62F93896A2C29C94EC6C4D8A3D

File PE Metadata
Compilation timestamp:
12/6/2009 5:52:01 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:qyi32nb1s15AB/G/8/3D0Fw/tN8dkmLtpHHHrh7E4zkm:qyLnb6F8/z0FmcLbH1lkm

Entry address:
0x30CB

Entry point:
60, E8, 00, 00, 00, 00, 5B, 81, EB, D0, 48, 88, 02, 83, EC, 74, 8B, EC, 8B, 83, AB, 4B, 88, 02, 89, 45, 00, 8B, 83, B3, 4B, 88, 02, 03, 45, 00, 89, 45, 2C, 8B, 83, B7, 4B, 88, 02, 03, 45, 00, 89, 45, 30, C7, 45, 14, 00, 00, 00, 00, C7, 45, 18, 00, 00, 00, 00, C7, 45, 1C, 00, 00, 00, 00, 8B, 45, 14, FF, 45, 14, 66, 33, C9, 8A, 8C, 03, FF, 4B, 88, 02, 84, C9, 74, 7A, 8B, 45, 1C, 66, 01, 4D, 1C, 03, C3, 05, 13, 4C, 88, 02, 50, 8B, 45, 2C, FF, 10, 85, C0, 0F, 84, 5E, 02, 00, 00, 89, 45, 10, 8B, 45, 1C, 03, C3...
 
[+]

Entropy:
7.8607

Packer / compiler:
ASPack v1.08.04

Code size:
22.5 KB (23,040 bytes)

The file constasurfsetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove constasurfsetup.exe - Powered by Reason Core Security