vlcsetup.exe

KBM2 Installer

sterkly LLC

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application vlcsetup.exe by sterkly has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler. The file has been seen being downloaded from api.kbm2.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
sterkly LLC  (signed and verified)

Product:
KBM2 Installer

Version:
2.5.1.0

MD5:
f33cde80495a74b7142296b45709d99b

SHA-1:
93ba07bca2d29e5da15a55db23411505ed3e6375

SHA-256:
66a2cbfe37cc124bd0dc8fb9faf2ac28b7d97b9f784a03188b85bf8eb4d10668

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
11/23/2024 3:30:13 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Yontoo.sterkly.Installer (M)
16.1.27.17

File size:
534.6 KB (547,448 bytes)

Product version:
2.5.1.0

Copyright:
(c) Sterkly LLC. All rights reserved.

Original file name:
KBM2.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\vlcsetup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/22/2013 5:30:00 AM

Valid to:
2/22/2015 5:29:59 AM

Subject:
CN=sterkly LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=sterkly LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
113C6B2C72DEF110BE64B2ABBC52861E

File PE Metadata
Compilation timestamp:
3/6/2013 12:42:09 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:Tjw5VPp0aVBkkE/ZmJyZfY2U6/bKKFZubQDG:Tjw5sanpELZfY2UcKKZubQi

Entry address:
0x39CB4

Entry point:
E8, AA, 6C, 00, 00, E9, 89, FE, FF, FF, 3B, 0D, D0, 0B, 47, 00, 75, 02, F3, C3, E9, 31, 6D, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, 75, 14, 85, F6, 75, 04, 33, C0, EB, 61, 83, 7D, 08, 00, 75, 13, E8, 75, 33, 00, 00, 6A, 16, 5E, 89, 30, E8, 08, 73, 00, 00, 8B, C6, EB, 48, 83, 7D, 10, 00, 74, 16, 39, 75, 0C, 72, 11, 56, FF, 75, 10, FF, 75, 08, E8, 02, 6E, 00, 00, 83, C4, 0C, EB, C7, FF, 75, 0C, 6A, 00, FF, 75, 08, E8, 50, 2F, 00, 00, 83, C4, 0C, 83, 7D, 10, 00, 74, BB, 39, 75, 0C, 73, 0E, E8, 2B, 33, 00, 00, 6A...
 
[+]

Entropy:
6.2688

Code size:
340.5 KB (348,672 bytes)

Scheduled Task
Task name:
{5E5343D8-F6C4-4307-A5CF-067D5B6759C8}

Trigger:
Registration (Runs on registration)


The file vlcsetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove vlcsetup.exe - Powered by Reason Core Security