» klippal_setup.exe
Overview
Analysis
File Details
Network (3)

klippal_setup.exe

Klip Pal

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application klippal_setup.exe by Klip Pal has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.

File name:

klippal_setup.exe

Publisher:

Klip Pal (signed and verified)

MD5:

025e7cc2450aa203d880d7dd356406f5

SHA-1:

2e5090c48182212d2f624e9a4f7a0af4c256cf32

SHA-256:

d60a14302a7c082f6a9c35951075493cd0efd769614a0be91a78f1fd2644f213

Scanner detections:

11 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

4/25/2024 2:04:57 PM UTC (today)

Scan engine

Detection

Engine version

AVG

BrowseFox

2015.0.3305

Baidu Antivirus

Adware.Win32.BrowseFox

4.0.3.141030

Comodo Security

Application.Win32.Ciorik.RWLZ

19799

ESET NOD32

Win64/BrowseFox (variant)

8.10561

Malwarebytes

PUP.Optional.KlipArt.A

v2014.10.30.07

McAfee

Artemis!025E7CC2450A

5600.6961

Qihoo 360 Security

HEUR/Malware.QVM03.Gen

1.0.0.1015

Reason Heuristics

PUP.Installer.KlipPal.N

14.10.30.19

Rising Antivirus

NS:PUF.SilenceInstaller!1.9DDF

23.00.65.141028

SUPERAntiSpyware

Adware.BrowseFox/Variant

10267

VIPRE Antivirus

Yontoo

33912

File size:

2.3 MB (2,442,256 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\klippal_setup.exe

Digital Signature

Signed by:

Klip Pal

Authority:

VeriSign, Inc.

Valid from:

8/4/2014 8:00:00 PM

Valid to:

8/5/2015 7:59:59 PM

Subject:

CN=Klip Pal, O=Klip Pal, L=Santa Monica, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

59A8A4CF2048A90F9AE8754A98A645E4

File PE Metadata

Compilation timestamp:

12/5/2009 5:52:01 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

49152:4/fj8OaeUMYwVz0gTGdFmeSTHzB3kDqr+77NMqoJYsWqJE+PDmDsa5:OfoObVz0Loa2iVMjSs9JrPDy5

Entry address:

0x30CB

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 6F, 44, 00, E8, F1, 2B, 00, 00, A3, 84, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 2E, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

22.5 KB (23,040 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to wac.edgecastcdn.net (72.21.81.13:80)

TCP (HTTP):

Connects to service.yontoo.com (8.25.35.148:80)

TCP (HTTP):

Connects to api.yontoo.com (8.25.35.15:80)

Remove klippal_setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.