home

793d4bd.tmp

Yontoo

Yontoo LLC

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file 793d4bd.tmp by Yontoo has been detected as adware by 13 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from dl-2.kbm2.com.
Publisher:
Yontoo LLC  (signed and verified)

Product:
Yontoo

Description:
Installer

Version:
2013.1.11.1325

MD5:
23e5d5bd804b69e116bd46ce18dcd56e

SHA-1:
d1b9a7dbbfe77cec20ba8eba77c91cf368e73c7e

SHA-256:
078b32707ea83663cb015cf4ff10e3457f42a5b4ac48c7d4a3964b6add88b952

Scanner detections:
13 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/26/2024 12:56:09 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Adware.Yontoo
7.1.1

Avira AntiVirus
ADWARE/Yontoo.Gen
7.11.128.32

AVG
AdInject.Yontoo
2016.0.2981

Baidu Antivirus
Trojan.Win32.Adware
4.0.3.15920

Comodo Security
UnclassifiedMalware
17705

Dr.Web
Adware.Yontoo.3
9.0.1.0263

ESET NOD32
Win32/Adware.Yontoo (variant)
9.9361

IKARUS anti.virus
AdWare.Yontoo
t3scan.2.2.29

Reason Heuristics
PUP.Yontoo.Installer (M)
15.9.20.8

Rising Antivirus
PE:Trojan.Win32.Generic.1400B85B!335591515
23.00.65.15918

Trend Micro House Call
BKDR_BIFROSE.BMC
7.2.263

Trend Micro
BKDR_BIFROSE.BMC
10.465.20

VIPRE Antivirus
Yontoo
25990

File size:
1 MB (1,068,992 bytes)

Product version:
1.12.02

Copyright:
Copyright (c) 2013 Yontoo LLC. All rights reserved.

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\793d4bd.tmp

Digital Signature
Signed by:
Yontoo LLC

Authority:
VeriSign, Inc.

Valid from:
10/24/2012 3:00:00 AM

Valid to:
12/24/2013 2:59:59 AM

Subject:
CN=Yontoo LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Yontoo LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4A49FB7E6B0BCF398A1ACF39EA80D982

File PE Metadata
Compilation timestamp:
3/11/2011 5:55:32 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:ktnIgB+6SvgwoMrSNncBPp0rORlGy+S0bgEzD:cjhwoMmFi+5y+Sk9zD

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Entropy:
7.9949

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file 793d4bd.tmp has been seen being distributed by the following URL.

http://dl-2.kbm2.com/.../yontoosetup.exe

Remove 793d4bd.tmp - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.