fassurun_di.exe

fassurun

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application fassurun_di.exe by fassurun has been detected as adware by 10 anti-malware scanners. The program is a setup application that uses the Nullsoft Scriptable Install System installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.apptilio.com.
Publisher:
fassurun  (signed and verified)

MD5:
8b5363f04dbe9b5e5d5f16b23a57db85

SHA-1:
4fdf123ebd8ceff3bf91ea5c04de819921e679c1

SHA-256:
46513e95807587a0c929ee06584a2305fc3927e6a3657c51f47c9241aeb7c021

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/25/2024 12:51:48 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.Cloddd8.Trojan
1.3.0.4613

Dr.Web
Trojan.BPlug.6
9.0.1.0360

ESET NOD32
Win32/BrowseFox
7.9285

herdProtect (fuzzy)
2014.1.5.14

McAfee
Artemis!8B5363F04DBE
5600.7269

Reason Heuristics
PUP.fassurun.L
14.8.7.21

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.131224

Trend Micro House Call
TROJ_GEN.F47V1209
7.2.360

VIPRE Antivirus
Trojan.Win32.Generic
25402

XVirus List
Win32.Detected
2.8.7

File size:
198 KB (202,736 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Scriptable Install System

Common path:
C:\users\{user}\appdata\local\temp\fassurun_di.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
8/20/2013 8:00:00 PM

Valid to:
8/20/2015 7:59:59 PM

Subject:
CN=fassurun, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=fassurun, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6EA3A2D62F7379560AF4974E60282338

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:qLk395hYXJsC07lKJnzAXEH/xUiAKQ89anH7l1m/GqMHJGULvN:qQqD07lK1zAXMUYYnH7nm/G/Hc+

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8955  (probably packed)

Code size:
22.5 KB (23,040 bytes)

The file fassurun_di.exe has been seen being distributed by the following URL.

Remove fassurun_di.exe - Powered by Reason Core Security