home

pageragegcsetup.exe

Theme Your World

Theme Your World LLC

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application pageragegcsetup.exe by Theme Your World has been detected as adware by 6 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from download.pagerage.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Theme Your World LLC  (signed and verified)

Product:
Theme Your World

Description:
Installer

Version:
2012.8.10.1616

MD5:
f0a2719dd55c9133d262d77c50840b80

SHA-1:
fd64e7b965d5b6c6a7e8f541dc845bf44bdb46b6

SHA-256:
4c46588c8811645f81f1f947e9a4503e7cb638e0c0f6430c9e0caeef151fecef

Scanner detections:
6 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
11/27/2024 1:47:55 AM UTC  (today)

Scan engine
Detection
Engine version

Comodo Security
UnclassifiedMalware
13938

ESET NOD32
Win32/Adware.Yontoo (variant)
8.7611

MicroWorld eScan
TROJ_FAKEAV.BMC
15.0.0.483

Panda Antivirus
Suspicious file
14.06.10.02

Reason Heuristics
PUP.Installer.ThemeYourWorld.P
14.8.7.20

VIPRE Antivirus
Yontoo
13630

File size:
1.4 MB (1,471,824 bytes)

Product version:
1.00

Copyright:
Copyright (c) 2011 Theme Your World LLC. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\pageragegcsetup.exe

Digital Signature
Signed by:
Theme Your World LLC

Authority:
GoDaddy.com, Inc.

Valid from:
5/15/2012 12:48:23 PM

Valid to:
5/15/2013 9:50:46 AM

Subject:
CN=Theme Your World LLC, O=Theme Your World LLC, L=Carlsbad, S=CA, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
0418C993014B2F

File PE Metadata
Compilation timestamp:
8/8/2011 3:55:34 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:yYU0awPjwVSvxXyyt7O1sE2TLjfIvcNvED5/m4ZRzB44yZ5MNS+Rmv4FZAtDk6g:xnPBv1376szLjGc0xm4ZRzBW5ypo+ZoI

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Entropy:
7.9975

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file pageragegcsetup.exe has been seen being distributed by the following URL.

http://download.pagerage.com/PageRageGCSetup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove pageragegcsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.