» setup.exe
Overview
Analysis
File Details
Downloads (2)
Network (3)

setup.exe

InstallVibes

This is the installer and setup program from the InstallVibes branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by InstallVibes has been detected as adware by 24 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software.

File name:

setup.exe

Publisher:

InstallVibes (signed and verified)

MD5:

ab9278125a8545235503b90d38fce468

SHA-1:

61d8f5a18fb74fd62866c5f7f0609fcd5c758c8e

SHA-256:

66b1966a4698e89f4c159c0d35d377986a9c56726864bae81355d32166ad51d3

Scanner detections:

24 / 68

Status:

Adware

Explanation:

Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:

4/19/2024 6:01:19 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.11476035

914

Agnitum Outpost

Riskware.Agent

7.1.1

AhnLab V3 Security

PUP/Win32.Bundlore

2014.08.05

Avira AntiVirus

TR/Dropper.Gen

7.11.30.172

avast!

Win32:Malware-gen

140617-1

AVG

Bundlo

2015.0.3392

Bitdefender

Trojan.Generic.11476035

1.0.20.1080

Comodo Security

Application.Win32.Bundlore.G

19083

Emsisoft Anti-Malware

Trojan.Generic.11476035

8.14.08.04.04

ESET NOD32

Win32/Bundlore.I potentially unwanted application

8.7.0.302.0

F-Secure

Trojan.Generic.11476035

11.2014-04-08_2

G Data

Trojan.Generic.11476035

14.8.24

IKARUS anti.virus

PUA.Bundlore

t3scan.1.6.1.0

K7 AntiVirus

Unwanted-Program

13.180.12553

Malwarebytes

PUP.Optional.Bundlore

v2014.08.04.04

McAfee

PUP-FLP

5600.7048

MicroWorld eScan

Trojan.Generic.11476035

15.0.0.648

nProtect

Trojan.Generic.11476035

14.08.04.01

Panda Antivirus

Trj/Genetic.gen

14.08.04.04

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Reason Heuristics

PUP.Installer.InstallVibes.F

14.8.4.14

Sophos

Bundlore

4.98

SUPERAntiSpyware

PUP.Bundlore

10442

VIPRE Antivirus

Threat.4754986

29708

File size:

245.8 KB (251,648 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\downloads\setup.exe

Digital Signature

Signed by:

InstallVibes

Authority:

COMODO CA Limited

Valid from:

3/19/2014 8:00:00 PM

Valid to:

3/19/2016 7:59:59 PM

Subject:

CN=InstallVibes, O=InstallVibes, STREET=Ehad Haam 21 St., L=Tel Aviv, S=Israel, PostalCode=6515103, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00F29201EBC1EAD2B751F2854AD68C6244

File PE Metadata

Compilation timestamp:

6/26/2014 2:04:51 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

6144:D3nNdoV9pDYMq8WZf7K9qtWH8p7zMWTMM09rDs:D3b69pDYKgTKYthzFgPrY

Entry address:

0x2F03

Entry point:

E8, 82, 51, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 88, 7C, 41, 00, E8, 67, 40, 00, 00, E8, 53, 53, 00, 00, 0F, B7, F0, 6A, 02, E8, 15, 51, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, D4, 48, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.4984

Code size:

67.5 KB (69,120 bytes)

The file setup.exe has been seen being distributed by the following 2 URLs.

http://lp.downloadsrv13.com/download/.../?software=VideoDownloader&name=setup.exe&no_cache=2d774929f09531663368178da16df58016884e0edd

http://lp.downloadsrv13.com/.../setup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to wac.edgecastcdn.net (72.21.81.13:80)

TCP (HTTP):

Connects to service.yontoo.com (8.25.35.148:80)

TCP (HTTP):

Connects to api.yontoo.com (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.