home

Installer.exe

Installer

Sea Bug

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application Installer.exe by Sea Bug has been detected as adware by 22 anti-malware scanners. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Sea Bug  (signed and verified)

Product:
Installer

Version:
1.0.0.0

MD5:
5a1441a9bc2eaa7fb2d21aa5c831ce78

SHA-1:
8c7e27c3cf38af0c8e9b5dc8843406cfee615b43

SHA-256:
e63b5c90756048754b43b8dec8b80d9d2137351bf05c57fbbc1ccfdf95d46bea

Scanner detections:
22 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/26/2024 4:57:45 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Agent.OMN
826

avast!
Win32:IBryte-FT [PUP]
2014.9-141031

AVG
Generic
2015.0.3304

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.141031

Bitdefender
Adware.Agent.OMN
1.0.20.1520

Comodo Security
ApplicUnwnt
19585

Dr.Web
Adware.iBryte.492
9.0.1.0304

Emsisoft Anti-Malware
Adware.Agent.OMN
8.14.10.31.10

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10651

Fortinet FortiGate
Adware/IBryte
10/31/2014

F-Secure
Adware.Agent.OMN
11.2014-31-10_6

G Data
Adware.Agent.OMN
14.10.24

IKARUS anti.virus
PUA.Downloader
t3scan.1.7.8.0

K7 AntiVirus
Adware
13.184.13727

Malwarebytes
Trojan.MSIL.Injector
v2014.10.31.10

McAfee
Artemis!D7B8795D4A30
5600.6960

MicroWorld eScan
Adware.Agent.OMN
15.0.0.912

nProtect
Adware.Agent.OMN
14.10.19.01

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.SeaBug.J
14.10.31.22

Sophos
Generic PUA KH
4.98

VIPRE Antivirus
iBryte
34276

File size:
201.1 KB (205,968 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2014

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\installer.exe

Digital Signature
Signed by:
Sea Bug

Authority:
GoDaddy.com, Inc.

Valid from:
7/25/2014 4:59:04 PM

Valid to:
7/25/2015 4:59:04 PM

Subject:
CN=Sea Bug, O=Sea Bug, L=Orange, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
081CF04D6E5726

File PE Metadata
Compilation timestamp:
10/31/2014 12:03:33 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:PgfI0EM4C4r2TvzCR0DTbS+YHPUEg3F/VGfSt:4xEDdCTve6DwH813iE

Entry address:
0x30D22

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.6019

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
187.5 KB (192,000 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove Installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.