» setup.exe
Overview
Analysis
File Details
Downloads (2)
Network (3)

setup.exe

Smart Applications

This is the installer and setup program from the Smart Applications branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by Smart Applications has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer.

File name:

setup.exe

Publisher:

Smart Applications (signed and verified)

MD5:

2494293a7cf750b35cf8d00597c167b1

SHA-1:

1b6e9abd559a07123b558d22448e98197c8ed917

SHA-256:

1701c8fd4e1f2c63f5de0b6d222af5217953f8e563d4e943ae5f2f6e46668e56

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:

4/29/2024 12:58:15 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Yontoo.SmartApplications.Installer (M)

15.11.18.9

File size:

1.4 MB (1,498,272 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\setup.exe

Digital Signature

Signed by:

Smart Applications

Authority:

VeriSign, Inc.

Valid from:

11/13/2014 6:00:00 PM

Valid to:

11/14/2015 5:59:59 PM

Subject:

CN=Smart Applications, O=Smart Applications, L=St. James, S=St. James, C=BB

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

4CF1C880A6746C7D0CDCB1393793A057

File PE Metadata

Compilation timestamp:

6/6/2009 4:41:59 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

24576:C/P58af5ncGtq2lnpxyF4XeOSEwcQSw4iEPqx+czlQD1djAlugk6Ne6ONMegFk7f:opVRrpxy3TEwcQSwtUqx9CD1dK5k6N+/

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9803

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

The file setup.exe has been seen being distributed by the following 2 URLs.

http://d.getspeedbrowser.com/SpeedBrowser/325/.../Setup.exe

http://vtgtrk.com/?a=1320&c=2876&s5=gameitnow/dl/garrysmod&consent2=4E42A4CB-B3B0-45A1-8ECA-39878BE09F2B&hash=w9TSB6X0RrU3njMMoFWpgTwqCpGQ3QUzZw_PpbmLTLKvqA-3O2KtUBVi8SY85SCxESMMvD0Rttmgh532cqq8TEvt47q8NWi49cVOaefuzFOgaFcCJYPFLfwIimbtW8q7Mhu3kaIbtjJWqyk5RbvYldAb_IVgF1Th6pZDuKDHlS8zfMzO4TVW_pxWWId4BZgfur7sa7V2_ocYt773JNf-3YM4NqxGX-wP_SP-EzH_zn46E-mnBBQFsbeWwE1RMDEP6MXRkBS_bcknBDaDGMWqt6upDjQGt_yJkkb0Y2-IRr_p9vYqWpmMbEJ8i9-4XXUC0lz8fHrPmvn_AIj-xvq31w,,&ignts=142912995712967753&ref=http://www.gameitnow.org/dl/.../

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to wac.edgecastcdn.net (72.21.81.13:80)

TCP (HTTP):

Connects to service.yontoo.com (8.25.35.148:80)

TCP (HTTP):

Connects to api.yontoo.com (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.