» setup.exe
Overview
Analysis
File Details
Network (3)

setup.exe

InstallVibes

This is the installer and setup program from the InstallVibes branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by InstallVibes has been detected as adware by 8 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software.

File name:

setup.exe

Publisher:

InstallVibes (signed and verified)

Version:

1.9.10.11

MD5:

573c6712c6136a8b8dcb69f20e54d7f9

SHA-1:

858644a8e5e5ef032f87d378cc2ce05dbdc17258

SHA-256:

dabe845ad29e2ddf57488e4e72782585fa1fbbfeadc0b5b2c58bc3139f5da2ce

Scanner detections:

8 / 68

Status:

Adware

Explanation:

Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:

4/26/2024 12:16:30 AM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

APPL/Downloader.Gen9

7.11.163.102

AVG

Bundlo

2015.0.3405

Baidu Antivirus

Trojan.Win32.Adload

4.0.3.14722

ESET NOD32

Win32/TrojanDownloader.Adload.NMZ trojan

7.0.302.0

IKARUS anti.virus

AdWare.Adload

t3scan.1.6.1.0

Reason Heuristics

PUP.Installer.InstallVibes.F

14.7.22.10

Sophos

Bundlore

4.98

VIPRE Antivirus

Threat.4754986

31208

File size:

746.4 KB (764,360 bytes)

Product version:

1.9.10.11

File type:

Executable application (Win32 EXE)

Language:

Turkish (Turkey)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe

Digital Signature

Signed by:

InstallVibes

Authority:

COMODO CA Limited

Valid from:

3/19/2014 11:00:00 PM

Valid to:

3/19/2016 10:59:59 PM

Subject:

CN=InstallVibes, O=InstallVibes, STREET=Ehad Haam 21 St., L=Tel Aviv, S=Israel, PostalCode=6515103, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00F29201EBC1EAD2B751F2854AD68C6244

File PE Metadata

Compilation timestamp:

2/4/2013 5:24:57 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:+SxG0VgX/d4BL8+iD784eoQHGPMgb4idK8Q+oP3Fm0WBeKa4Xf7N:dxG+QA8hevKfpdotkV

Entry address:

0x113BC

Entry point:

55, 8B, EC, 83, C4, A4, 53, 56, 57, 33, C0, 89, 45, C4, 89, 45, C0, 89, 45, A4, 89, 45, D0, 89, 45, C8, 89, 45, CC, 89, 45, D4, 89, 45, D8, 89, 45, EC, B8, 2C, 00, 41, 00, E8, E8, 51, FF, FF, 33, C0, 55, 68, 9E, 1A, 41, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 5A, 1A, 41, 00, 64, FF, 32, 64, 89, 22, A1, 48, 5B, 41, 00, E8, 16, D8, FF, FF, E8, 65, D3, FF, FF, 80, 3D, DC, 2A, 41, 00, 00, 74, 0C, E8, 2B, D9, FF, FF, 33, C0, E8, 80, 32, FF, FF, 8D, 55, EC, 33, C0, E8, E2, A3, FF, FF, 8B, 55, EC, B8, 50, 86... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

63.5 KB (65,024 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to wac.edgecastcdn.net (72.21.81.13:80)

TCP (HTTP):

Connects to service.yontoo.com (8.25.35.148:80)

TCP (HTTP):

Connects to api.yontoo.com (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.