yontoosetup.exe

Yontoo

Yontoo LLC

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application yontoosetup.exe by Yontoo has been detected as adware by 20 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from dl.yontoo.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Yontoo LLC  (signed and verified)

Product:
Yontoo

Description:
Installer

Version:
2013.3.13.1427

MD5:
3bf9a2450929e5f2436ab68dbfec5af2

SHA-1:
9d21dede5c296c33b6c6a94bcc9eed0ea36ab6b1

SHA-256:
75f3fbb06a8e35425e0bcdd77ed53efa3f4d665197e81712475a20e445ac1563

Scanner detections:
20 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
12/24/2024 12:45:16 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Adware.Yontoo
7.1.1

Avira AntiVirus
ADWARE/Yontoo.Gen
7.11.117.56

AVG
AdInject.Yontoo
2015.0.3557

Baidu Antivirus
Adware.Win32.Agent
4.0.3.14221

Bkav FE
W32.Clod764.Trojan
1.3.0.4562

Boost by Reason
Optional.Yontoo.L
188838

Comodo Security
UnclassifiedMalware
17365

Dr.Web
Adware.Yontoo.3
9.0.1.052

ESET NOD32
Win32/Adware.Yontoo (variant)
8.9118

F-Prot
W32/Adware.AKRV
v6.4.7.1.166

IKARUS anti.virus
AdWare.Yontoo
t3scan.2.2.29

K7 AntiVirus
Adware
13.170.9377

McAfee
Artemis!B1A9C17E5529
5600.7213

MicroWorld eScan
ADWARE/Yontoo.Gen
15.0.0.156

Reason Heuristics
PUP.Installer.Yontoo.L
14.8.7.17

Rising Antivirus
PE:Trojan.InstallRex!1.9CB0
23.00.65.14219

Trend Micro House Call
TROJ_GEN.RCBH1ET13
7.2.52

Trend Micro
BKDR_BIFROSE.BMC
10.465.21

VIPRE Antivirus
Yontoo
23916

XVirus List
Win.Detected
2.3.31

File size:
1 MB (1,100,720 bytes)

Product version:
2.05

Copyright:
Copyright (c) 2013 Yontoo LLC. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\yontoosetup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
10/24/2012 1:00:00 AM

Valid to:
12/24/2013 12:59:59 AM

Subject:
CN=Yontoo LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Yontoo LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4A49FB7E6B0BCF398A1ACF39EA80D982

File PE Metadata
Compilation timestamp:
3/11/2011 3:55:32 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:ctCifpKNAxJDMIkx79CTLtYbX01ufRqrA76El:EfpKgDox74tYg1uf176El

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Code size:
7.5 KB (7,680 bytes)

The file yontoosetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove yontoosetup.exe - Powered by Reason Core Security