wildwestsetup.exe

Wild West

This is the installer and setup program from the Wild West branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating Windows service that will update the software with additional features. The application wildwestsetup.exe by Wild West has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
Wild West  (signed and verified)

MD5:
dc8f4605a30c79f870b7766103327089

SHA-1:
eafc2bac17b6843c8ab496d7979b975a31bac87f

SHA-256:
a82f6a58cae21aa052655d32450f0d87c5f4ca1c95f99608db3f60090a7a854a

Scanner detections:
13 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/26/2024 5:23:09 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/BrowseFox.Gen
7.11.218.32

AVG
BrowseFox
2016.0.3167

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.15317

Dr.Web
Trojan.Siggen6.31097
9.0.1.076

ESET NOD32
Win32/BrowseFox.C potentially unwanted application
7.0.302.0

G Data
NSIS.Application.BrowseFox
15.3.25

herdProtect (fuzzy)
2015.6.23.15

NANO AntiVirus
Trojan.Nsis.BrowseFox.dnxihk
0.30.8.659

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1015

Reason Heuristics
Threat.Yontoo.Installer
15.4.14.13

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.15315

VIPRE Antivirus
Threat.4150696
37788

File size:
464.9 KB (476,008 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\wildwestsetup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/10/2015 4:00:00 PM

Valid to:
1/11/2016 3:59:59 PM

Subject:
CN=Wild West, O=Wild West, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
496B67C883386C82B7E6FF63CEFE1466

File PE Metadata
Compilation timestamp:
12/5/2009 2:52:01 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:vLOSlu2ney1s15Ap/G/8/3D0Fw/tN8dkmLtpHHHrh7L:vXney6j8/z0FmcLbH1L

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 6F, 44, 00, E8, F1, 2B, 00, 00, A3, 84, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 2E, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file wildwestsetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove wildwestsetup.exe - Powered by Reason Core Security