home

vebergreat_cs.exe

veberGreat

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application vebergreat_cs.exe by veberGreat has been detected as adware by 2 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from teabag.blob.core.windows.net.
Publisher:
veberGreat  (signed and verified)

MD5:
5d1734c9c668fbc4351a551d6da3651d

SHA-1:
59553fa3e79bfccb9d9c9a63ba29f17bb5532e18

SHA-256:
443338c5e7d1f7ce6f470f7bef265f3e1b7189737b8cd56c064870bb9695f13d

Scanner detections:
2 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
2/24/2025 11:25:17 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.veberGreat.N
14.8.8.0

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.14108

File size:
242.5 KB (248,320 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\vebergreat_cs.exe

Digital Signature
Signed by:
veberGreat

Authority:
VeriSign, Inc.

Valid from:
9/19/2013 2:00:00 AM

Valid to:
9/20/2015 1:59:59 AM

Subject:
CN=veberGreat, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=veberGreat, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
377D972BB16B6077E300ED74C9FA32C8

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:qLk395hYXJsC66psRJnntnj9EMwEJghLHUCldUisktH9anH7l1m/GqMHJGULvX:qQqD66sREMnJgh/ld9HYnH7nm/G/Hcw

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file vebergreat_cs.exe has been seen being distributed by the following URL.

https://teabag.blob.core.windows.net/public-source/downloadguide/resources/file/freemium/vebergreat/1.0/.../veberGreat_cs.exe

Remove vebergreat_cs.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.