home

setup.exe

InstallVibes

This is the installer and setup program from the InstallVibes branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by InstallVibes has been detected as adware by 30 anti-malware scanners. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
InstallVibes  (signed and verified)

MD5:
874f802837ca9699abfd084979392479

SHA-1:
50e2a151846047874a8a3fbea6e5dd822bde13a6

SHA-256:
db7d8405357fed179e50abe1b39af6db1c7e1630721da7c008407243a5f964ca

Scanner detections:
30 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/26/2024 5:50:02 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.MPlug.6
5690745

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.Bundlore
2015.04.25

Avira AntiVirus
TR/Bundlore.D.1
3.6.1.96

avast!
PUP-gen [PUP]
150423-1

AVG
Win.Threat.Medium
2014.0.4311

Bitdefender
Gen:Variant.Adware.MPlug.6
1.0.20.575

Bkav FE
W32.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Trojan.Bundlore-3
0.98/21511

Comodo Security
Application.Win32.Agent.BUNE
21884

Dr.Web
Adware.Downware.10491, Adware.Downware.6446
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Adware.MPlug
9.0.0.4799

ESET NOD32
Win32/Bundlore.F potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/Generic.AC.1805592
4/25/2015

F-Prot
W32/A-2d28fe0c
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.MPlug
5.13.68

G Data
Gen:Variant.Adware.MPlug
15.4.25

IKARUS anti.virus
Trojan.Bundlore
t3scan.1.8.9.0

K7 AntiVirus
Unwanted-Program
13.203.15706

Kaspersky
not-a-virus:Downloader.Win32.Bundl
15.0.0.543

Malwarebytes
PUP.Optional.Bundlore.C
v2015.04.25.02

McAfee
Program.PUP-FJG
16.8.708.2

MicroWorld eScan
Gen:Variant.Adware.MPlug.6
16.0.0.345

Norman
Gen:Variant.Adware.MPlug.6
03.12.2014 13:20:04

Panda Antivirus
Trj/Genetic.gen
15.04.25.02

Reason Heuristics
Threat.Yontoo.Installer
15.4.24.21

Sophos
Bundlore
4.98

Vba32 AntiVirus
Downloader.Bundl
3.12.26.3

VIPRE Antivirus
Threat.4150696
39354

Zillya! Antivirus
Downloader.Bundl.Win32.11
2.0.0.2153

File size:
284.2 KB (291,048 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
InstallVibes

Authority:
COMODO CA Limited

Valid from:
3/19/2014 8:00:00 PM

Valid to:
3/19/2016 7:59:59 PM

Subject:
CN=InstallVibes, O=InstallVibes, STREET=Ehad Haam 21 St., L=Tel Aviv, S=Israel, PostalCode=6515103, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F29201EBC1EAD2B751F2854AD68C6244

File PE Metadata
Compilation timestamp:
5/14/2014 8:23:40 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
6144:kVkX4m5Cld3Lbii5bkgVuN+xSKV7Wkrsf7LsZX/eLdz7:mkomglJXikbkgaISKV5X/eJ7

Entry address:
0x555D

Entry point:
E8, 54, 62, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, F0, C4, 41, 00, E8, 6D, 16, 00, 00, E8, 25, 64, 00, 00, 0F, B7, F0, 6A, 02, E8, E7, 61, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, A6, 59, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.4655

Code size:
81.5 KB (83,456 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.