yontooclientsetup.exe

Yontoo Layers

Yontoo Technology, Inc.

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application yontooclientsetup.exe by Yontoo Technology has been detected as adware by 8 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from download.yontoo.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Theme Your World LLC  (signed by Yontoo Technology, Inc.)

Product:
Yontoo Layers

Description:
Installer

Version:
2011.4.13.1648

MD5:
22777f28303b9efd2d3bc9df46d17da0

SHA-1:
6ec283f651d32d8b517a636b454797677d56ebbf

SHA-256:
e776905a2c952f4008db9ce1656bf74c2ff7bbe64eedb80977fefa110ec0323e

Scanner detections:
8 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
12/24/2024 11:34:58 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/Yontoo.Gen
7.11.106.104

Dr.Web
Adware.Plugin.11
9.0.1.0196

ESET NOD32
Win32/Adware.Yontoo (variant)
8.8891

IKARUS anti.virus
AdWare.Yontoo
t3scan.2.0.127

Norman
Agent.VBAZ.dropper
11.20140715

Reason Heuristics
PUP.Installer.YontooTechnology.R
14.7.15.18

Rising Antivirus
Trojan.InstallRex!562A
23.00.65.14713

VIPRE Antivirus
Yontoo
22200

File size:
888.3 KB (909,608 bytes)

Product version:
1.10.01

Copyright:
Copyright © 2011 Theme Your World LLC. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
9/2/2009 12:41:20 PM

Valid to:
9/2/2012 12:41:20 PM

Subject:
CN="Yontoo Technology, Inc.", OU=Product Development, O="Yontoo Technology, Inc.", L=Carlsbad, S=CA, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
6A08909DDA7B

File PE Metadata
Compilation timestamp:
8/19/2010 6:08:13 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:wInOmj7WFB8VeU7QVIMrhY1gHPTM6ny9BdOLXr3KaodB/M0uUg+tEoHN:RvWB47QeM0oIzvwLXr6aoB0HuEoHN

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Entropy:
7.9942

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file yontooclientsetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove yontooclientsetup.exe - Powered by Reason Core Security