» enhancetronicsetup_20131220.exe
Overview
Analysis
File Details
Downloads (2)

enhancetronicsetup_20131220.exe

EnhanceTronic

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application enhancetronicsetup_20131220.exe by EnhanceTronic has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d1t653m828c3x8.cloudfront.net and multiple other hosts.

File name:

Publisher:

EnhanceTronic (signed and verified)

MD5:

0029b2b030c00ecec8a166d9cc62aacd

SHA-1:

2e6a20fc2fae58335f1c8bddf521a43bba2deb80

SHA-256:

ce4a3bf0e92bad53df22b9a31cfe5acd6de62d5c7b9ed8f9d95d50ba524fe975

Scanner detections:

4 / 68

Status:

Adware

Explanation:

Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:

11/27/2024 2:50:56 AM UTC (today)

Scan engine

Detection

Engine version

Qihoo 360 Security

HEUR/Malware.QVM06.Gen

1.0.0.1015

Reason Heuristics

PUP.Installer.EnhanceTronic.BB

14.8.8.3

Rising Antivirus

NS:PUF.SilenceInstaller!1.9DDF

23.00.65.14127

Trend Micro House Call

TROJ_GEN.F47V0128

7.2.29

File size:

226.3 KB (231,760 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\temp\enhancetronicsetup_20131220.exe

Digital Signature

Signed by:

EnhanceTronic

Authority:

VeriSign, Inc.

Valid from:

11/27/2013 1:00:00 AM

Valid to:

11/28/2014 12:59:59 AM

Subject:

CN=EnhanceTronic, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=EnhanceTronic, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

47011A69DA61BB00374559218BF5D8A3

File PE Metadata

Compilation timestamp:

12/5/2009 11:52:01 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

6144:NZ+119Uw9Egq//cBe2/1RWBT5AYZm/G/Hc:+Uwagq//U1s15AB/G/8

Entry address:

0x30CB

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 6F, 44, 00, E8, F1, 2B, 00, 00, A3, 84, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 2E, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

22.5 KB (23,040 bytes)

The file enhancetronicsetup_20131220.exe has been seen being distributed by the following 2 URLs.

http://d1t653m828c3x8.cloudfront.net/bundles/.../EnhanceTronicSetup_20131220.exe

http://d3emsmln8xfj03.cloudfront.net/bundles/.../EnhanceTronicSetup_20131220.exe

Remove enhancetronicsetup_20131220.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.