» setup.exe
Overview
Analysis
File Details
Downloads (2)
Network (3)

setup.exe

InstallVibes

This is the installer and setup program from the InstallVibes branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by InstallVibes has been detected as adware by 24 anti-malware scanners. The file has been seen being downloaded from lp.download-free-videos.com and multiple other hosts. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.

File name:

setup.exe

Publisher:

InstallVibes (signed and verified)

MD5:

aeaee748dda63a65a1888ac713c95c06

SHA-1:

2ead4b45431071f701739e25e73ef6eb85cacf68

SHA-256:

b92df0e7a1a4e7dbbc9d3203292e1d86e9a5ba08dc021c39b6a5535a7305bb6d

Scanner detections:

24 / 68

Status:

Adware

Explanation:

Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:

4/24/2024 11:59:11 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.11385338

863

Agnitum Outpost

Riskware.Agent

7.1.1

AhnLab V3 Security

PUP/Win32.InstallVibes

2014.09.25

Avira AntiVirus

TR/Dropper.Gen

7.11.30.172

AVG

Bundlo

2015.0.3341

Bitdefender

Trojan.Generic.11385338

1.0.20.1340

Clam AntiVirus

Win.Trojan.11385338

0.98/21411

Comodo Security

Application.Win32.Bundlore.C

18762

Dr.Web

Adware.Downware.4760

9.0.1.0268

Emsisoft Anti-Malware

Trojan.Generic.11385338

8.14.09.25.01

ESET NOD32

Win32/Bundlore.G potentially unwanted application

8.7.0.302.0

F-Prot

W32/A-e489c4c3

v6.4.7.1.166

F-Secure

Trojan.Generic.11385338

11.2014-25-09_5

G Data

Trojan.Generic.11385338

14.9.24

IKARUS anti.virus

PUA.Bundlore

t3scan.1.6.1.0

K7 AntiVirus

Unwanted-Program

13.180.12626

Malwarebytes

PUP.Optional.InstallVibes

v2014.09.25.02

McAfee

PUP-FDC

5600.6997

MicroWorld eScan

Trojan.Generic.11385338

15.0.0.804

nProtect

Trojan.Generic.11385338

14.09.24.01

Panda Antivirus

Trj/Genetic.gen

14.09.25.02

Reason Heuristics

PUP.Installer.InstallVibes.F

14.9.25.1

Sophos

Bundlore

4.98

VIPRE Antivirus

Threat.4754986

29708

File size:

319.3 KB (326,912 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Windows\System32\config\systemprofile\downloads\setup.exe

Digital Signature

Signed by:

InstallVibes

Authority:

COMODO CA Limited

Valid from:

3/19/2014 8:00:00 PM

Valid to:

3/19/2016 7:59:59 PM

Subject:

CN=InstallVibes, O=InstallVibes, STREET=Ehad Haam 21 St., L=Tel Aviv, S=Israel, PostalCode=6515103, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00F29201EBC1EAD2B751F2854AD68C6244

File PE Metadata

Compilation timestamp:

6/3/2014 4:08:19 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

6144:dPB049LwerBLbii5bkgVuN+xSKV7Wkrsf7LsMAgoqRX45vT:dp9Se9XikbkgaISKVRqR457

Entry address:

0x34D2

Entry point:

E8, 64, 4D, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 28, 7E, 41, 00, E8, E8, 2C, 00, 00, E8, 35, 4F, 00, 00, 0F, B7, F0, 6A, 02, E8, F7, 4C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, B6, 44, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

6.8435

Code size:

65 KB (66,560 bytes)

The file setup.exe has been seen being distributed by the following 2 URLs.

http://lp.download-free-videos.com/download/.../?nocache=96488135501&software=VideoDownloader&name=setup.exe&NL=1

http://lp.download-free-videos.com/.../setup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to wac.edgecastcdn.net (72.21.81.13:80)

TCP (HTTP):

Connects to service.yontoo.com (8.25.35.148:80)

TCP (HTTP):

Connects to api.yontoo.com (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.