home

openofficesetup.exe

KBM2 Installer

sterkly LLC

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application openofficesetup.exe by sterkly has been detected as adware by 11 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent. The file has been seen being downloaded from api.kbm2.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
sterkly LLC  (signed and verified)

Product:
KBM2 Installer

Version:
2.5.1.0

MD5:
b8a63486f67b66629105d012c84def6a

SHA-1:
a02f0f7c6aa8de1596322ae207b3547355a5fb4d

SHA-256:
e4eed72ec9d9e0308eb8f88e52967d2c7c85efc7c68cc369f4f535a8a28368ba

Scanner detections:
11 / 68

Status:
Adware

Explanation:
May bundle additional potentially unwanted software such as adware during setup.

Analysis date:
4/26/2024 8:29:49 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AVG
Adware AdInject.Sterkly
2014.0.4311

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Downware.1175
9.0.1.05190

Emsisoft Anti-Malware
Trojan.Win32.KBM.AMN
8.15.04.26.04

ESET NOD32
Win32/KBM.A potentially unwanted (variant)
9.11532

Fortinet FortiGate
Riskware/MultiPlug
4/26/2015

F-Prot
W32/Adware.AKRY
v6.4.7.1.166

Malwarebytes
PUP.Optional.BundleInstaller.A
v2015.04.26.04

Reason Heuristics
PUP.Yontoo.Installer
15.4.25.15

VIPRE Antivirus
Threat.4782986
39354

File size:
809.1 KB (828,536 bytes)

Product version:
2.5.1.0

Copyright:
(c) Sterkly LLC. All rights reserved.

Original file name:
KBM2.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\openofficesetup.exe

Digital Signature
Signed by:
sterkly LLC

Authority:
VeriSign, Inc.

Valid from:
1/22/2013 12:00:00 AM

Valid to:
2/21/2015 11:59:59 PM

Subject:
CN=sterkly LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=sterkly LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
113C6B2C72DEF110BE64B2ABBC52861E

File PE Metadata
Compilation timestamp:
3/5/2013 7:12:09 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:Djw5VPp0aVBkkE/ZmJyZfY2U6/bKKFZy1d3Hav9QZE:Djw5sanpELZfY2UcKKZyj3Hav9Qi

Entry address:
0x39CB4

Entry point:
E8, AA, 6C, 00, 00, E9, 89, FE, FF, FF, 3B, 0D, D0, 0B, 47, 00, 75, 02, F3, C3, E9, 31, 6D, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, 75, 14, 85, F6, 75, 04, 33, C0, EB, 61, 83, 7D, 08, 00, 75, 13, E8, 75, 33, 00, 00, 6A, 16, 5E, 89, 30, E8, 08, 73, 00, 00, 8B, C6, EB, 48, 83, 7D, 10, 00, 74, 16, 39, 75, 0C, 72, 11, 56, FF, 75, 10, FF, 75, 08, E8, 02, 6E, 00, 00, 83, C4, 0C, EB, C7, FF, 75, 0C, 6A, 00, FF, 75, 08, E8, 50, 2F, 00, 00, 83, C4, 0C, 83, 7D, 10, 00, 74, BB, 39, 75, 0C, 73, 0E, E8, 2B, 33, 00, 00, 6A...
 
[+]

Code size:
340.5 KB (348,672 bytes)

The file openofficesetup.exe has been seen being distributed by the following URL.

http://api.kbm2.com/downloadLauncher.ashx?cid=26

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove openofficesetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.