home

setup.exe

InstallVibes

This is the installer and setup program from the InstallVibes branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by InstallVibes has been detected as adware by 23 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software.
Publisher:
InstallVibes  (signed and verified)

MD5:
1396d9e80182e149788d729d3623d4c5

SHA-1:
d90559c52d379130525c5e43c2840d9cbc4547f2

SHA-256:
cb752d59fb994f37a584937b97b863ed53c06e45fa77ffb34cf36273568120b2

Scanner detections:
23 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
12/27/2024 1:22:29 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.MPlug.6
793

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
TR/Bundlore.D.1
7.11.176.202

AVG
Adware Skodna.Generic_r
2015.0.3344

Bitdefender
Gen:Variant.Adware.MPlug.6
1.0.20.1685

Clam AntiVirus
Win.Trojan.Bundlore-3
0.98/21411

Comodo Security
Application.Win32.Agent.BUNE
19718

Dr.Web
Adware.Downware.6446
9.0.1.0264

Emsisoft Anti-Malware
Gen:Variant.Adware.MPlug
8.14.12.03.04

ESET NOD32
Win32/Bundlore.F potentially unwanted application
8.7.0.302.0

F-Prot
W32/A-3ac25dfa
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.MPlug.6
11.2014-03-12_4

G Data
Gen:Variant.Adware.MPlug
14.12.24

IKARUS anti.virus
Trojan.Bundlore
t3scan.1.7.8.0

K7 AntiVirus
Unwanted-Program
13.183.13584

Kaspersky
not-a-virus:Downloader.Win32.Bundl
14.0.0.2852

McAfee
PUP-FJG
5600.6927

MicroWorld eScan
Gen:Variant.Adware.MPlug.6
15.0.0.1011

Panda Antivirus
Trj/Genetic.gen
14.12.03.04

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.InstallVibes.F
14.9.21.12

Sophos
Bundlore
4.98

VIPRE Antivirus
Threat.4150696
33624

File size:
284.2 KB (291,048 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
InstallVibes

Authority:
COMODO CA Limited

Valid from:
3/19/2014 9:00:00 PM

Valid to:
3/19/2016 8:59:59 PM

Subject:
CN=InstallVibes, O=InstallVibes, STREET=Ehad Haam 21 St., L=Tel Aviv, S=Israel, PostalCode=6515103, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F29201EBC1EAD2B751F2854AD68C6244

File PE Metadata
Compilation timestamp:
5/14/2014 9:23:40 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
6144:kVkX4m5Cld3Lbii5bkgVuN+xSKV7Wkrsf7LsZX/eLw:mkomglJXikbkgaISKV5X/e0

Entry address:
0x555D

Entry point:
E8, 54, 62, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, F0, C4, 41, 00, E8, 6D, 16, 00, 00, E8, 25, 64, 00, 00, 0F, B7, F0, 6A, 02, E8, E7, 61, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, A6, 59, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
81.5 KB (83,456 bytes)

The file setup.exe has been seen being distributed by the following 2 URLs.

http://lp.download-video-free.com/download/.../?nocache=33a933e37eaeb0b1ae66479735e51de3&software=VideoDownloader&name=setup.exe&NL=1

http://lp.download-video-free.com/.../setup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.