vlcsetup.exe

KBM2 Installer

sterkly LLC

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application vlcsetup.exe by sterkly has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from api.kbm2.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
sterkly LLC  (signed and verified)

Product:
KBM2 Installer

Version:
2.1.0.2

MD5:
3b4f73c8d991ab1ec04433f22c88da3a

SHA-1:
73a6ffb6381a46bc58bf303d7599900dc60f422b

SHA-256:
458fc5d86ddc5d4fc24088b77a4968b1faceb2775652c55c6105f339700f39e9

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
11/9/2024 12:45:32 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Yontoo.sterkly.Installer (M)
16.4.25.19

File size:
531.6 KB (544,376 bytes)

Product version:
2.1.0.2

Copyright:
(c) Sterkly LLC. All rights reserved.

Original file name:
KBM2.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\vlcsetup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/26/2012 12:00:00 AM

Valid to:
1/25/2013 11:59:59 PM

Subject:
CN=sterkly LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=sterkly LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
136DB6717AA1462B8176971FE58FEBD6

File PE Metadata
Compilation timestamp:
11/13/2012 10:08:44 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:n14Cv009mWBuGW9Zq2+W2ihRqRyNjfzy7GdjWKOZ3Na+QOXu:nWC/muPvW2PRyMdZA+QOXu

Entry address:
0x3948A

Entry point:
E8, A4, 6C, 00, 00, E9, 89, FE, FF, FF, 3B, 0D, D0, FB, 46, 00, 75, 02, F3, C3, E9, 2B, 6D, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, 75, 14, 85, F6, 75, 04, 33, C0, EB, 61, 83, 7D, 08, 00, 75, 13, E8, 6F, 33, 00, 00, 6A, 16, 5E, 89, 30, E8, 02, 73, 00, 00, 8B, C6, EB, 48, 83, 7D, 10, 00, 74, 16, 39, 75, 0C, 72, 11, 56, FF, 75, 10, FF, 75, 08, E8, FC, 6D, 00, 00, 83, C4, 0C, EB, C7, FF, 75, 0C, 6A, 00, FF, 75, 08, E8, 4A, 2F, 00, 00, 83, C4, 0C, 83, 7D, 10, 00, 74, BB, 39, 75, 0C, 73, 0E, E8, 25, 33, 00, 00, 6A...
 
[+]

Entropy:
6.2675

Code size:
338 KB (346,112 bytes)

The file vlcsetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove vlcsetup.exe - Powered by Reason Core Security