home

lookthisupuninstall.exe

Installer

Sea Bug

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application lookthisupuninstall.exe by Sea Bug has been detected as adware by 25 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from d32k27yvyi4kmv.cloudfront.net. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Sea Bug  (signed and verified)

Product:
Installer

Version:
1.0.0.0

MD5:
e2e9ddf91805ef6310ecaa630f99a72f

SHA-1:
644fbfa10efea1c10cbd9cedea798a932724afaa

SHA-256:
5f1d262fe4a34faba813cea8c6b079132496663acbf0212f2710bda3fa3dfada

Scanner detections:
25 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
5/8/2024 5:59:31 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Agent.OMN
358

Agnitum Outpost
PUA.Agent
7.1.1

Avira AntiVirus
Adware/MSIL.Agent.hf
7.11.179.120

avast!
Win32:Adware-gen [Adw]
2014.9-160211

AVG
Generic
2017.0.2836

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.16211

Bitdefender
Adware.Agent.OMN
1.0.20.210

Comodo Security
ApplicUnwnt
19854

Dr.Web
Adware.iBryte.492
9.0.1.042

Emsisoft Anti-Malware
Adware.Agent.OMN
8.16.02.11.05

ESET NOD32
MSIL/Adware.iBryte (variant)
10.10617

Fortinet FortiGate
Adware/IBryte
2/11/2016

F-Secure
Adware.Agent.OMN
11.2016-11-02_5

G Data
Adware.Agent.OMN
16.2.24

IKARUS anti.virus
PUA.Downloader
t3scan.1.7.8.0

Malwarebytes
PUP.Optional.SeaBug
v2016.02.11.05

McAfee
RDN/Generic PUP.x!cp3
5600.6492

MicroWorld eScan
Adware.Agent.OMN
17.0.0.126

nProtect
Adware.Agent.OMN
14.10.17.01

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Yontoo.SeaBug.Installer (M)
16.2.11.17

Sophos
Generic PUA NK
4.98

Total Defense
Win32/Tnega.UBXHOP
37.0.11238

Trend Micro House Call
Suspicious_GEN.F47V1015
7.2.42

VIPRE Antivirus
iBryte
34106

File size:
200.6 KB (205,456 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2014

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\lookthisup\lookthisupuninstall.exe

Digital Signature
Signed by:
Sea Bug

Authority:
GoDaddy.com, Inc.

Valid from:
7/25/2014 10:59:04 PM

Valid to:
7/25/2015 10:59:04 PM

Subject:
CN=Sea Bug, O=Sea Bug, L=Orange, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
081CF04D6E5726

File PE Metadata
Compilation timestamp:
10/18/2014 12:03:28 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
3072:ts5G3LJIAAzEk86Uk/nBNzCi5mbEmUWwUxahvtT6oSLgfk9L:muJIAL36UoTOTb+NUxahLfk9L

Entry address:
0x30B56

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
187 KB (191,488 bytes)

The file lookthisupuninstall.exe has been seen being distributed by the following URL.

http://d32k27yvyi4kmv.cloudfront.net/.../Installer.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove lookthisupuninstall.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.