yontoosetup.exe

Yontoo

Yontoo LLC

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application yontoosetup.exe by Yontoo has been detected as adware by 20 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from dl.yontoo.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Yontoo LLC  (signed and verified)

Product:
Yontoo

Description:
Installer

Version:
2013.2.21.1544

MD5:
3e17725d0771f903eb5cd13c091d7a2f

SHA-1:
49ae9a9bccbfbe22ee4da0559cfb601188a1bc11

SHA-256:
b0de4a26d86ebb94606b2a19b68689c07db860948255c7acfa299bef0b0c0b98

Scanner detections:
20 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
11/27/2024 1:58:10 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Adware.Yontoo
7.1.1

Avira AntiVirus
ADWARE/Yontoo.Gen
7.11.98.36

AVG
AdInject.Yontoo
2014.0.3542

Baidu Antivirus
Adware.Win32.Agent
4.0.3.131126

Bkav FE
W32.Clod764.Trojan
1.3.0.4562

Boost by Reason
Optional.Yontoo.L
188838

Comodo Security
ApplicUnwnt
16821

Dr.Web
Adware.Plugin.11
9.0.1.0239

ESET NOD32
Win32/Adware.Yontoo (variant)
7.8726

F-Prot
W32/Adware.AKRV
v6.4.7.1.166

IKARUS anti.virus
AdWare.Yontoo
t3scan.2.0.127

K7 AntiVirus
Adware
13.170.9377

McAfee
Artemis!B1A9C17E5529
5600.7271

MicroWorld eScan
ADWARE/Yontoo.Gen
14.0.0.990

Reason Heuristics
PUP.Installer.Yontoo.L
14.8.7.17

Rising Antivirus
Trojan.InstallRex!562A
23.00.65.13825

Trend Micro House Call
TROJ_GEN.RCBH1ET13
7.2.239

Trend Micro
BKDR_BIFROSE.BMC
10.465.27

VIPRE Antivirus
Yontoo
20864

XVirus List
Win.Detected
2.3.31

File size:
1 MB (1,098,088 bytes)

Product version:
2.04

Copyright:
Copyright (c) 2013 Yontoo LLC. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\yontoosetup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
10/23/2012 5:00:00 PM

Valid to:
12/23/2013 3:59:59 PM

Subject:
CN=Yontoo LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Yontoo LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4A49FB7E6B0BCF398A1ACF39EA80D982

File PE Metadata
Compilation timestamp:
8/8/2011 3:55:34 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:hYU09o4v6S+pQNeOIev7sl/ZkKb8u5R4hpq9Kt99eExCjeMcWdm:W9LCS+SNSev2LbDfO+K/9e7je3t

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Entropy:
7.9952

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file yontoosetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove yontoosetup.exe - Powered by Reason Core Security