yontoosetup.exe

Yontoo

Yontoo LLC

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application yontoosetup.exe by Yontoo has been detected as adware by 20 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from dl.yontoo.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Yontoo LLC  (signed and verified)

Product:
Yontoo

Description:
Installer

Version:
2013.4.30.2113

MD5:
280e9d0d3311cc57c7d3dd7f5e437cfc

SHA-1:
552ee4f57c9683f7e82b13cf3f414188c653582d

SHA-256:
6a5479f3df99dcb52bd338715c11989487dbacda7c53be2d8355b356096955b7

Scanner detections:
20 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
12/24/2024 11:44:23 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Adware.Yontoo
7.1.1

Avira AntiVirus
ADWARE/Yontoo.Gen
7.11.98.36

AVG
AdInject.Yontoo
2014.0.3643

Baidu Antivirus
Adware.Win32.Agent
4.0.3.131126

Bkav FE
W32.Clod764.Trojan
1.3.0.4562

Boost by Reason
Optional.Yontoo.L
188838

Comodo Security
ApplicUnwnt
16821

Dr.Web
Adware.Plugin.11
9.0.1.0241

ESET NOD32
Win32/Adware.Yontoo (variant)
7.8726

F-Prot
W32/Adware.AKRV
v6.4.7.1.166

IKARUS anti.virus
AdWare.Yontoo
t3scan.2.0.127

K7 AntiVirus
Adware
13.170.9377

McAfee
Artemis!B1A9C17E5529
5600.7271

MicroWorld eScan
ADWARE/Yontoo.Gen
14.0.0.990

Reason Heuristics
PUP.Installer.Yontoo.L
14.8.7.17

Rising Antivirus
Trojan.InstallRex!562A
23.00.65.131124

Trend Micro House Call
TROJ_GEN.RCBH1ET13
7.2.241

Trend Micro
BKDR_BIFROSE.BMC
10.465.26

VIPRE Antivirus
Yontoo
20864

XVirus List
Win32.Detected
2.8.7

File size:
1.1 MB (1,102,024 bytes)

Product version:
2.053

Copyright:
Copyright (c) 2013 Yontoo LLC. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\yontoosetup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
10/23/2012 5:00:00 PM

Valid to:
12/23/2013 3:59:59 PM

Subject:
CN=Yontoo LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Yontoo LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4A49FB7E6B0BCF398A1ACF39EA80D982

File PE Metadata
Compilation timestamp:
3/10/2011 6:55:32 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:itNNkJmiKsSvNMQHhi81RIju+HXYzehV7Wg8ET1hmNb:uNmfFk/w81abV70EY

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Entropy:
7.9953

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file yontoosetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove yontoosetup.exe - Powered by Reason Core Security