home

setup.exe

Internet Program

This is the installer and setup program from the Internet Program branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by Internet Program has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
Internet Program  (signed and verified)

Version:
2.0.5474.6570

MD5:
1e6891da801fe26d9cab40cff4b1f907

SHA-1:
845f3516fb930b16c898cfdf7345c7c0b3cac2b7

SHA-256:
a895ad2ac2e1b8e1ad7a67e85a6d853a2c352f59a64d3bbc9ad6878c506997aa

Scanner detections:
12 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/25/2024 5:32:43 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.3096

Bkav FE
W32.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Browsefox-725
0.98/21511

Dr.Web
Trojan.Yontoo.1735
9.0.1.05190

ESET NOD32
Win32/BrowseFox.AZ potentially unwanted application
7.0.302.0

Kaspersky
not-a-virus:HEUR:AdWare.NSIS.BrowseFox
14.0.0.1977

Malwarebytes
PUP.Adware.Agent
v2015.05.27.12

McAfee
Trojan.Artemis!904278716F9F
17.6.569.0

Reason Heuristics
PUP.Yontoo.Installer
15.5.27.8

Trend Micro House Call
Suspici.AC0890C6
7.2.147

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Threat.4741131
40552

File size:
615.6 KB (630,384 bytes)

Product version:
2014.12.27

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe

Digital Signature
Signed by:
Internet Program

Authority:
VeriSign, Inc.

Valid from:
11/5/2014 12:00:00 AM

Valid to:
11/5/2015 11:59:59 PM

Subject:
CN=Internet Program, O=Internet Program, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
146D6AFF83C11B0B4BF34BD665E746C7

File PE Metadata
Compilation timestamp:
6/5/2014 12:58:31 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:p0nM3D0Fw/tN8dkmLtpHHHrh7VVmu4GkK/n/5S93ZIGY0B4iOZzWat:p3z0FmcLbH1jmakKnMrIxJBZr

Entry address:
0x31E4

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, E0, 73, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, B8, 6C, 44, 00, E8, 1B, 25, 00, 00, 53, 68, 60, 01, 00, 00, A3, C0, 6B, 44, 00, 8D, 44, 24, 38, 50, 53, 68, DB, 73, 40, 00, FF, 15, 58, 71, 40, 00, 68, D0, 73, 40, 00, 68, C0, 2B, 44, 00, E8, 0D, 24, 00, 00, FF, 15, AC, 70, 40, 00, 50, BF, 00, F0, 46, 00, 57, E8, FB, 23, 00, 00...
 
[+]

Entropy:
7.9248

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.