LookThisUp.exe

Sea Bug

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application LookThisUp.exe by Sea Bug has been detected as adware by 21 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘LookThisUp’.
Publisher:
LookThisUp  (signed by Sea Bug)

Product:
LookThisUp

Version:
1.0

MD5:
8a0bd542ef36669e9917ff4ae11ad9b6

SHA-1:
54d09b9d687f62a67f19b6a178594e2b30cedb7e

SHA-256:
43b4c76ba0fe9787187c54e5c31b9496faaa88306ff4a0702e58e473f594e505

Scanner detections:
21 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
12/25/2024 4:04:24 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Agent.OMN
824

Avira AntiVirus
Adware/Agent.1848976.51
7.11.182.198

avast!
Win32:Adware-gen [Adw]
2014.9-141102

AVG
Generic
2015.0.3302

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.14112

Bitdefender
Adware.Agent.OMN
1.0.20.1530

Comodo Security
ApplicUnwnt
19697

Emsisoft Anti-Malware
Adware.Agent.OMN
8.14.11.02.02

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10619

Fortinet FortiGate
Adware/IBryte
11/2/2014

F-Secure
Adware.Agent.OMN
11.2014-02-11_1

G Data
Adware.Agent.OMN
14.11.24

IKARUS anti.virus
PUA.Downloader
t3scan.1.7.8.0

Malwarebytes
PUP.Optional.LookThisUp.A
v2014.11.02.02

McAfee
PUP-FRX
5600.6958

MicroWorld eScan
Adware.Agent.OMN
15.0.0.918

nProtect
Adware.Agent.OMN
14.10.24.01

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Startup.SeaBug.K
14.11.2.14

Sophos
Generic PUA DA
4.98

Trend Micro House Call
TROJ_GEN.R0C1H06K114
7.2.306

File size:
1.8 MB (1,848,976 bytes)

Product version:
1.0

Copyright:
Copyright © LookThisUp 2014

Original file name:
LookThisUp.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\lookthisup\lookthisup.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
7/25/2014 10:59:04 PM

Valid to:
7/25/2015 10:59:04 PM

Subject:
CN=Sea Bug, O=Sea Bug, L=Orange, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
081CF04D6E5726

File PE Metadata
Compilation timestamp:
10/31/2014 2:03:09 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:sWxhHS/BqXP8fAnnoyqPOjWacHbPmJCWyaH7Zjjo0+KaO39QGoXYBCJ9zImeWKBL:cWEI8GjUHbCLH71GOttoXYcJQXIOCY0+

Entry address:
0x1C1F3E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
1.8 MB (1,835,008 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
LookThisUp

Command:
"C:\users\{user}\appdata\roaming\lookthisup\lookthisup.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.markt.de  (213.95.6.42:80)

TCP (HTTP):
Connects to s3-website-eu-west-1.amazonaws.com  (54.231.132.109:80)

TCP (HTTP):
Connects to img.billiger.de  (62.146.193.232:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (108.59.10.9:80)

TCP (HTTP):
Connects to ec2-54-77-178-178.eu-west-1.compute.amazonaws.com  (54.77.178.178:80)

TCP (HTTP):
Connects to ec2-54-235-183-156.compute-1.amazonaws.com  (54.235.183.156:80)

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP):
Connects to ec2-54-165-233-185.compute-1.amazonaws.com  (54.165.233.185:80)

TCP (HTTP):
Connects to ec2-23-23-225-30.compute-1.amazonaws.com  (23.23.225.30:80)

TCP (HTTP):
Connects to ec2-23-23-166-213.compute-1.amazonaws.com  (23.23.166.213:80)

TCP (HTTP):
Connects to ec2-23-21-226-104.compute-1.amazonaws.com  (23.21.226.104:80)

TCP (HTTP):

Remove LookThisUp.exe - Powered by Reason Core Security