yatqa.exe

The application yatqa.exe has been detected as a potentially unwanted program by 10 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. The file has been seen being downloaded from dc416.4shared.com.
MD5:
40d20566100503527a79e3d5d5501545

SHA-1:
b30c9121080e61033933c572fdb557ceed4481a3

SHA-256:
e6ae4278ff35e082c5d1ab33f58c674d19f97a6f03a70d9713fcdf515b2f7bf3

Scanner detections:
10 / 68

Status:
Potentially unwanted

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:
12/25/2024 6:16:31 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
2014.9-160120

AVG
FakeAV
2017.0.2858

Comodo Security
UnclassifiedMalware
22445

Fortinet FortiGate
Malware_fam.NB
1/20/2016

IKARUS anti.virus
Trojan.Win32.FakeAV
t3scan.1.9.5.0

McAfee
Artemis!40D205661005
5600.6514

Sophos
Mal/Generic-S
4.98

SUPERAntiSpyware
PUP.Babylon Toolbar/Variant
9373

Vba32 AntiVirus
Hoax.ArchSMS.np
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
41118

File size:
1.2 MB (1,223,667 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\yatqa.exe

File PE Metadata
Compilation timestamp:
12/5/2009 8:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:QkSznU+1exu5ie6OQikfzLC5HE3ItMQT9mUtqrPh3:7SzU+1eUF6ObMLyGItMQT9J8rP5

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file yatqa.exe has been seen being distributed by the following URL.

Remove yatqa.exe - Powered by Reason Core Security