» setup.exe
Overview
Analysis
File Details
Network (3)

setup.exe

Price Clip

This is the installer and setup program from the Price Clip branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by Price Clip has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer.

File name:

setup.exe

Publisher:

Price Clip (signed and verified)

Version:

2.0.5885.22222

MD5:

5dc384874812cf870a559a8d73c4277c

SHA-1:

1f9891cb90139c3e1e36e549be556e47658847c3

SHA-256:

8a4e1555bb00ffaba32d51ef57d390f12744b0ecd51463d7e3b6648173446d36

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:

4/19/2024 2:17:58 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Yontoo (M)

17.3.7.23

File size:

291.2 KB (298,152 bytes)

Product version:

2016.02.11

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\setup.exe

Digital Signature

Signed by:

Price Clip

Authority:

VeriSign, Inc.

Valid from:

3/6/2015 12:00:00 AM

Valid to:

3/5/2016 11:59:59 PM

Subject:

CN=Price Clip, O=Price Clip, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

54220893A9827AB0A32D39999971BE12

File PE Metadata

Compilation timestamp:

6/5/2014 12:58:35 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

Entry address:

0x334C

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, A8, 73, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, B8, 6C, 44, 00, E8, 1B, 25, 00, 00, 53, 68, 60, 01, 00, 00, A3, C0, 6B, 44, 00, 8D, 44, 24, 38, 50, 53, 68, 3B, 74, 40, 00, FF, 15, 58, 71, 40, 00, 68, 30, 74, 40, 00, 68, C0, 2B, 44, 00, E8, 0D, 24, 00, 00, FF, 15, B0, 70, 40, 00, 50, BF, 00, F0, 46, 00, 57, E8, FB, 23, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

23 KB (23,552 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to wac.edgecastcdn.net (72.21.81.13:80)

TCP (HTTP):

Connects to service.yontoo.com (8.25.35.148:80)

TCP (HTTP):

Connects to api.yontoo.com (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.