yontoosetup.exe

Yontoo

Yontoo LLC

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application yontoosetup.exe by Yontoo has been detected as adware by 20 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from dl.yontoo.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Yontoo LLC  (signed and verified)

Product:
Yontoo

Description:
Installer

Version:
2013.2.15.1200

MD5:
3366dcc4c926d6c984691c1ba682fd5d

SHA-1:
90c203318b97779b55826b49b7e0d443e229388c

SHA-256:
629b31ecd4d21cc0ffc7bea7f3080b6bf66cf2958d4d7c37dac2f6e532db71ae

Scanner detections:
20 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
11/14/2024 9:05:19 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Adware.Yontoo
7.1.1

Avira AntiVirus
ADWARE/Yontoo.Gen
7.11.98.36

AVG
AdInject.Yontoo
2014.0.3611

Baidu Antivirus
Adware.Win32.Agent
4.0.3.131229

Bkav FE
W32.Clod764.Trojan
1.3.0.4562

Boost by Reason
Optional.Yontoo.L
188838

Comodo Security
ApplicUnwnt
16821

Dr.Web
Adware.Plugin.11
9.0.1.0363

ESET NOD32
Win32/Adware.Yontoo (variant)
7.8726

F-Prot
W32/Adware.AKRV
v6.4.7.1.166

IKARUS anti.virus
AdWare.Yontoo
t3scan.2.0.127

K7 AntiVirus
Adware
13.170.9377

McAfee
Artemis!B1A9C17E5529
5600.7267

MicroWorld eScan
ADWARE/Yontoo.Gen
14.0.0.1089

Reason Heuristics
PUP.Installer.Yontoo.L
14.8.7.17

Rising Antivirus
Trojan.InstallRex!562A
23.00.65.131227

Trend Micro House Call
TROJ_GEN.RCBH1ET13
7.2.363

Trend Micro
BKDR_BIFROSE.BMC
10.465.29

VIPRE Antivirus
Yontoo
20864

XVirus List
Win.Detected
2.3.31

File size:
1 MB (1,096,608 bytes)

Product version:
2.04

Copyright:
Copyright (c) 2013 Yontoo LLC. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\yontoosetup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
10/24/2012 2:00:00 AM

Valid to:
12/24/2013 12:59:59 AM

Subject:
CN=Yontoo LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Yontoo LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4A49FB7E6B0BCF398A1ACF39EA80D982

File PE Metadata
Compilation timestamp:
3/11/2011 3:55:32 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:BtuRZmMJ/KMvHFI2vZsUgV1Qh9ybpHFcbtPu/NJQWEpH:TOZmMJ/XlNBsUvybpWbsNjeH

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file yontoosetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove yontoosetup.exe - Powered by Reason Core Security