ezlookersetup.exe

KBM2 Installer

sterkly LLC

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application ezlookersetup.exe by sterkly has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from api.kbm2.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
sterkly LLC  (signed and verified)

Product:
KBM2 Installer

Version:
1.6.1.0

MD5:
211fcf64768a449bdec3a2b019bc0828

SHA-1:
c5cc4d45718bddae2387b05c7ee716a5c17170a9

SHA-256:
f6576078cc816b353a443bec4a36b19eaadaf9c02ec81b147dff8ceb1a3bf7c7

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
11/23/2024 6:49:18 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Yontoo (M)
16.7.31.19

File size:
528.6 KB (541,304 bytes)

Product version:
1.6.1.0

Copyright:
(c) Sterkly LLC. All rights reserved.

Original file name:
KBM2.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\ezlookersetup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/25/2012 6:00:00 PM

Valid to:
1/25/2013 5:59:59 PM

Subject:
CN=sterkly LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=sterkly LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
136DB6717AA1462B8176971FE58FEBD6

File PE Metadata
Compilation timestamp:
3/27/2012 4:50:04 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:36GOYfLVfCsgKTZ13TTVTs4b2zPDZapv/iDn0ZLhMQZWTS:36GO0fPfb1TBb2zLZoiD0ZLhMQZWTS

Entry address:
0x38B5A

Entry point:
E8, A4, 6C, 00, 00, E9, 89, FE, FF, FF, 3B, 0D, D0, EB, 46, 00, 75, 02, F3, C3, E9, 2B, 6D, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, 75, 14, 85, F6, 75, 04, 33, C0, EB, 61, 83, 7D, 08, 00, 75, 13, E8, 6F, 33, 00, 00, 6A, 16, 5E, 89, 30, E8, 02, 73, 00, 00, 8B, C6, EB, 48, 83, 7D, 10, 00, 74, 16, 39, 75, 0C, 72, 11, 56, FF, 75, 10, FF, 75, 08, E8, FC, 6D, 00, 00, 83, C4, 0C, EB, C7, FF, 75, 0C, 6A, 00, FF, 75, 08, E8, 4A, 2F, 00, 00, 83, C4, 0C, 83, 7D, 10, 00, 74, BB, 39, 75, 0C, 73, 0E, E8, 25, 33, 00, 00, 6A...
 
[+]

Entropy:
6.2391

Code size:
335.5 KB (343,552 bytes)

The file ezlookersetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove ezlookersetup.exe - Powered by Reason Core Security