vlcsetup.exe

KBM2 Installer

sterkly LLC

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application vlcsetup.exe by sterkly has been detected as adware by 8 anti-malware scanners. The file has been seen being downloaded from api.kbm2.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
sterkly LLC  (signed and verified)

Product:
KBM2 Installer

Version:
2.1.0.1

MD5:
3fbd9b88c0d7294055efe51076cec6d1

SHA-1:
4692d7651391714d122b42550d8940a573fd9fbc

SHA-256:
cda71b85ca1dbc756d9eb6dcde1eb71e4423d5aa246ca1b0232e8f430ac00365

Scanner detections:
8 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
11/23/2024 6:36:12 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Trojan.Win32.Agent
4.0.3.14913

Dr.Web
Adware.Plugin.18
9.0.1.0256

ESET NOD32
Win32/KBM (variant)
8.8965

herdProtect (fuzzy)
2014.11.9.8

Malwarebytes
PUP.AdBundle
v2014.09.13.09

NANO AntiVirus
Trojan.Win32.Plugin.bavcky
0.26.0.55532

Reason Heuristics
PUP.Installer.sterkly.I
14.9.13.9

VIPRE Antivirus
sterkly LLC
22710

File size:
531.1 KB (543,864 bytes)

Product version:
2.1.0.1

Copyright:
(c) Sterkly LLC. All rights reserved.

Original file name:
KBM2.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\vlcsetup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/26/2012 5:30:00 AM

Valid to:
1/26/2013 5:29:59 AM

Subject:
CN=sterkly LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=sterkly LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
136DB6717AA1462B8176971FE58FEBD6

File PE Metadata
Compilation timestamp:
8/31/2012 2:15:19 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:MMBNfoLYC0LexiXZZ47eHqxeDIq6lWb8rYQZGkyQCe+:MMHbCeYiQ7XxeolW+5ZGkyQZ+

Entry address:
0x391E8

Entry point:
E8, A6, 6C, 00, 00, E9, 89, FE, FF, FF, 3B, 0D, D0, FB, 46, 00, 75, 02, F3, C3, E9, 2D, 6D, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, 75, 14, 85, F6, 75, 04, 33, C0, EB, 61, 83, 7D, 08, 00, 75, 13, E8, 71, 33, 00, 00, 6A, 16, 5E, 89, 30, E8, 04, 73, 00, 00, 8B, C6, EB, 48, 83, 7D, 10, 00, 74, 16, 39, 75, 0C, 72, 11, 56, FF, 75, 10, FF, 75, 08, E8, FE, 6D, 00, 00, 83, C4, 0C, EB, C7, FF, 75, 0C, 6A, 00, FF, 75, 08, E8, 4C, 2F, 00, 00, 83, C4, 0C, 83, 7D, 10, 00, 74, BB, 39, 75, 0C, 73, 0E, E8, 27, 33, 00, 00, 6A...
 
[+]

Entropy:
6.2636

Code size:
337.5 KB (345,600 bytes)

The file vlcsetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove vlcsetup.exe - Powered by Reason Core Security