home

installer.exe

ProxyInstaller

Sea Bug

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application installer.exe by Sea Bug has been detected as adware by 5 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d32k27yvyi4kmv.cloudfront.net.
Publisher:
Sea Bug  (signed and verified)

Product:
ProxyInstaller

Version:
1.0.0.0

MD5:
711c7e24a567a6b631fd24abdbe139cc

SHA-1:
19ea944d59321627d795175f5c853170c5917bd8

SHA-256:
b50b858083e4b52cc1e0b9f6d894fd91b3e92b7bdb01d2bd5b09bd6c0eb1d158

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
5/8/2024 7:52:30 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2015.0.3294

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10460

herdProtect (fuzzy)
variant of lookthisupuninstall.exe (Adware)
2014.11.10.23

Malwarebytes
PUP.Optional.ProxyInstaller
v2014.09.14.05

Reason Heuristics
PUP.Installer.SeaBug.J
14.9.14.5

File size:
201.6 KB (206,480 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2014

Original file name:
ProxyInstaller.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\installer.exe

Digital Signature
Signed by:
Sea Bug

Authority:
GoDaddy.com, Inc.

Valid from:
7/25/2014 10:59:04 PM

Valid to:
7/25/2015 10:59:04 PM

Subject:
CN=Sea Bug, O=Sea Bug, L=Orange, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
081CF04D6E5726

File PE Metadata
Compilation timestamp:
9/8/2014 10:10:19 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:dZKD9u9BHW/c2TTgTTg6QTgnTOTTs+TnT7TTngnTTzgTBqhnnTngBP7TEhnngpTM:fiu9ippx1TTTFU

Entry address:
0x30F8E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
188 KB (192,512 bytes)

The file installer.exe has been seen being distributed by the following URL.

http://d32k27yvyi4kmv.cloudfront.net/.../Installer.exe

Remove installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.