yontooclientsetup.exe

Yontoo Layers Client

Yontoo Technology, Inc.

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application yontooclientsetup.exe by Yontoo Technology has been detected as adware by 2 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from download.yontoo.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Yontoo Technology, Inc.  (signed and verified)

Product:
Yontoo Layers Client

Description:
Installer

Version:
2010.9.14.906

MD5:
0a9118d96054cabf34f4abc4bc8f3659

SHA-1:
e8179e738f39096f851285deb98c2c69aa44202e

SHA-256:
3515900bdae6498c9eb6c0bf875383ef8952261e5fd9ecc9f65f7b4c63abfb7d

Scanner detections:
2 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
12/24/2024 12:32:45 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Yontoo.YontooTechnology.Installer (M)
16.1.23.18

VIPRE Antivirus
Yontoo
8973

File size:
592.2 KB (606,400 bytes)

Product version:
1.10.01

Copyright:
Copyright (c) 2010 Yontoo Technology, Inc.. All rights reserved

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\~ my downloads\downloads\yontooclientsetup.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
9/2/2009 1:41:20 PM

Valid to:
9/2/2012 1:41:20 PM

Subject:
CN="Yontoo Technology, Inc.", OU=Product Development, O="Yontoo Technology, Inc.", L=Carlsbad, S=CA, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
6A08909DDA7B

File PE Metadata
Compilation timestamp:
8/19/2010 7:08:13 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:SIbTXHYtHmwM4azldZZBpvIxdXa82xpRDq/BJKKVLa:hX6mwsldZZBlma82nRW9

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Entropy:
7.9883

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file yontooclientsetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove yontooclientsetup.exe - Powered by Reason Core Security