pageragegcsetup.exe

Theme Your World

Theme Your World LLC

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application pageragegcsetup.exe by Theme Your World has been detected as adware by 2 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from download.pagerage.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Theme Your World LLC  (signed and verified)

Product:
Theme Your World

Description:
Installer

Version:
2011.12.21.1448

MD5:
978ab547f88a30fc5194c4f0cb31a21a

SHA-1:
d4a33f55bafcc52894f18cecd838819110e6dddb

SHA-256:
957d16ad24641e9faf7fcce54bdfa677c2d601ea77ffaf1c6f0964d43fcbaca1

Scanner detections:
2 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
12/25/2024 12:36:54 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Installer.ThemeYourWorld
15.2.8.18

VIPRE Antivirus
Yontoo
11291

File size:
1.2 MB (1,229,912 bytes)

Product version:
1.00

Copyright:
Copyright (c) 2011 Theme Your World LLC. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\pageragegcsetup.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
5/9/2011 2:38:01 PM

Valid to:
5/9/2012 2:38:01 PM

Subject:
CN=Theme Your World LLC, O=Theme Your World LLC, L=Carlsbad, S=CA, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
080229C2AD472D

File PE Metadata
Compilation timestamp:
8/8/2011 6:55:34 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:k1nfAhgKNPpcxpcx5bIZ3x0GTM2s7ZqzavAST8Gd1aQUxpEgMNNBh3:Kni3c83OqYumlobZ

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Entropy:
7.9966

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file pageragegcsetup.exe has been seen being distributed by the following URL.

http://download.pagerage.com/PageRageGCSetup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove pageragegcsetup.exe - Powered by Reason Core Security