home

Installer.exe

Installer

Sea Bug

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application Installer.exe by Sea Bug has been detected as adware by 22 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Sea Bug  (signed and verified)

Product:
Installer

Version:
1.0.0.0

MD5:
411946af84c04598aafd31106990448b

SHA-1:
84447b21055b410e3e007158025e4349c19dee5d

SHA-256:
dd017ff2ed3c85b4d914d92145eaa237244e3a59093991bdd92707721b7d9b94

Scanner detections:
22 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/26/2024 12:45:21 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Agent.OMN
826

avast!
Win32:IBryte-FT [PUP]
2014.9-141101

AVG
Generic
2015.0.3304

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.14111

Bitdefender
Adware.Agent.OMN
1.0.20.1525

Comodo Security
ApplicUnwnt
19585

Dr.Web
Adware.iBryte.492
9.0.1.0305

Emsisoft Anti-Malware
Adware.Agent.OMN
8.14.11.01.07

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10654

Fortinet FortiGate
Adware/IBryte
11/1/2014

F-Secure
Adware.Agent.OMN
11.2014-01-11_7

G Data
Adware.Agent.OMN
14.11.24

IKARUS anti.virus
PUA.Downloader
t3scan.1.7.8.0

K7 AntiVirus
Adware
13.184.13727

Malwarebytes
Trojan.MSIL.Injector
v2014.11.01.07

McAfee
Artemis!D7B8795D4A30
5600.6960

MicroWorld eScan
Adware.Agent.OMN
15.0.0.915

nProtect
Adware.Agent.OMN
14.10.19.01

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.SeaBug.J
14.11.1.7

Sophos
Generic PUA KH
4.98

VIPRE Antivirus
iBryte
34276

File size:
201.1 KB (205,968 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2014

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\installer.exe

Digital Signature
Signed by:
Sea Bug

Authority:
GoDaddy.com, Inc.

Valid from:
7/25/2014 10:59:04 PM

Valid to:
7/25/2015 10:59:04 PM

Subject:
CN=Sea Bug, O=Sea Bug, L=Orange, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
081CF04D6E5726

File PE Metadata
Compilation timestamp:
11/1/2014 10:03:29 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:bfI0KO4Ccr2TvzCR0DTbpTDGHdoYxqsfZl:bxKtlCTve6DJDGHqL0L

Entry address:
0x30D1E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
187.5 KB (192,000 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

Remove Installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.