yontoosetup-silent.exe

Yontoo

Yontoo LLC

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application yontoosetup-silent.exe by Yontoo has been detected as adware by 12 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from dl.kbm2.com.
Publisher:
Yontoo LLC  (signed and verified)

Product:
Yontoo

Description:
Installer

Version:
2012.5.11.1459

MD5:
8398a8fdf7d0018b714f164642984026

SHA-1:
1d3e166a639b18eac630d9e92038d665053b6eb1

SHA-256:
38a1e46c7fe778b1538046870c46734d8fe659bd0ab9e535821b9c9882b58919

Scanner detections:
12 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
11/14/2024 9:26:54 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Adware.Yontoo
7.1.1

Avira AntiVirus
ADWARE/Yontoo.Gen
7.11.153.238

Baidu Antivirus
Trojan.Win32.Adware
4.0.3.14720

Boost by Reason
Optional.Yontoo.S
188838

Comodo Security
Heur.Suspicious
18486

Dr.Web
Adware.Siggen.24249
9.0.1.0201

ESET NOD32
Win32/Adware.Yontoo (variant)
8.9914

Fortinet FortiGate
Riskware/Yontoo
7/20/2014

IKARUS anti.virus
AdWare.Yontoo
t3scan.1.6.1.0

NANO AntiVirus
Trojan.Html.Plugin.bopldg
0.28.0.60100

Reason Heuristics
PUP.Installer.Yontoo.S
14.8.7.17

VIPRE Antivirus
Yontoo
30108

File size:
1 MB (1,051,040 bytes)

Product version:
1.10.02

Copyright:
Copyright (c) 2011 Yontoo LLC. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\yontoosetup-silent.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
12/6/2011 6:00:00 PM

Valid to:
12/6/2012 5:59:59 PM

Subject:
CN=Yontoo LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Yontoo LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4F8617352536F013088C9B5533AA4440

File PE Metadata
Compilation timestamp:
3/10/2011 8:55:32 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:8bfU+LJ9MBAMswkckLLrZKG5y4MjLB0Cx/V37CZdm6+pSfp7kOE6w3:B2JmiMELLEn42l0Cn7CZdOGoOEv

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Entropy:
7.9954

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file yontoosetup-silent.exe has been seen being distributed by the following URL.

http://dl.kbm2.com/download/.../20125111459.exe

Remove yontoosetup-silent.exe - Powered by Reason Core Security