gimpsetup.exe

KBM2 Installer

Best Download Manager

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application gimpsetup.exe by Best Download Manager has been detected as adware by 10 anti-malware scanners. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent. The file has been seen being downloaded from api.kbm2.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Best Download Manager   (signed by Best Download Manager)

Product:
KBM2 Installer

Version:
2.5.1.0

MD5:
12f175fd3955c9d5fec27a67352029e4

SHA-1:
e320c21ceedfb51b70033e183df47d37d4eca9bd

SHA-256:
5c5b49874f4c85740efe639f4ba8b1aa794866bbc4b1aae08516b06420a833ab

Scanner detections:
10 / 68

Status:
Adware

Explanation:
May bundle additional potentially unwanted software such as adware during setup.

Analysis date:
11/9/2024 12:24:20 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AVG
AdInject.Bdmngr
2015.0.3345

Dr.Web
Adware.Plugin.85
9.0.1.0264

ESET NOD32
Win32/KBM (variant)
8.9744

IKARUS anti.virus
AdWare.Win32.KBM
t3scan.1.6.1.0

Malwarebytes
PUP.Optional.BundleInstaller.A
v2014.09.21.09

McAfee
Artemis!AF94949E58BB
5600.6927

NANO AntiVirus
Riskware.Win32.Plugin.cxiows
0.28.0.60577

Reason Heuristics
PUP.Installer.BestDownloadManager.J
14.9.21.9

VIPRE Antivirus
sterkly LLC
28732

File size:
650.1 KB (665,736 bytes)

Product version:
2.5.1.0

Copyright:
(c) Best Download Manager . All rights reserved.

Original file name:
KBM2.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\gimpsetup.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
7/25/2013 1:00:00 AM

Valid to:
7/26/2015 12:59:59 AM

Subject:
CN=Best Download Manager, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Best Download Manager, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5F3BBF9CAABCE7C81AB69ABF7371A064

File PE Metadata
Compilation timestamp:
8/7/2013 8:25:15 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:tgq6uX5c0RzWguzZylIAllGVytvHdKme7IZopY4Q/+ge3B+Q/Y:tR610ZluglqytYmesZoy+jYQQ

Entry address:
0x3A3C0

Entry point:
E8, 0E, 6F, 00, 00, E9, 89, FE, FF, FF, 3B, 0D, D0, 0B, 47, 00, 75, 02, F3, C3, E9, 95, 6F, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, 75, 14, 85, F6, 75, 04, 33, C0, EB, 61, 83, 7D, 08, 00, 75, 13, E8, D9, 35, 00, 00, 6A, 16, 5E, 89, 30, E8, 6C, 75, 00, 00, 8B, C6, EB, 48, 83, 7D, 10, 00, 74, 16, 39, 75, 0C, 72, 11, 56, FF, 75, 10, FF, 75, 08, E8, 66, 70, 00, 00, 83, C4, 0C, EB, C7, FF, 75, 0C, 6A, 00, FF, 75, 08, E8, B4, 31, 00, 00, 83, C4, 0C, 83, 7D, 10, 00, 74, BB, 39, 75, 0C, 73, 0E, E8, 8F, 35, 00, 00, 6A...
 
[+]

Entropy:
6.2683

Code size:
342.5 KB (350,720 bytes)

The file gimpsetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove gimpsetup.exe - Powered by Reason Core Security