home

setup.exe

sizlsearch

This is the installer and setup program from the sizlsearch branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by sizlsearch has been detected as adware by 27 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
sizlsearch  (signed and verified)

MD5:
d17ea42f9649567eec2a728b32f7b678

SHA-1:
daf86a077a6ccef8bc0d0f16c481f01b93773d26

SHA-256:
b8d288602b95cbace82a0c3b7247a38c540a6f0376e7841311bcf34fdb2cdd0d

Scanner detections:
27 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/24/2024 10:41:19 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.SwiftBrowse.1
896

Agnitum Outpost
Riskware.Agent
7.1.1

avast!
Win32:PUP-gen [PUP]
2014.9-140822

AVG
Could be an adware BrowseFox
2014.0.4007

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.14822

Bitdefender
Gen:Variant.Adware.SwiftBrowse.1
1.0.20.1170

Clam AntiVirus
Win.Adware.Linkular
0.98/19293

Dr.Web
Trojan.BPlug.93
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Adware.SwiftBrowse
8.14.08.22.08

ESET NOD32
Win32/BrowseFox.C potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/BrowseFox
8/22/2014

F-Secure
Gen:Variant.Adware.SwiftBrowse.1
11.2014-22-08_6

IKARUS anti.virus
PUA.BrowseFox
t3scan.1.7.5.0

K7 AntiVirus
Trojan
13.183.13113

Kaspersky
not-a-virus:HEUR:AdWare.Win32.Kranet
15.0.0.494

Malwarebytes
PUP.Optional.Sizlsearch
v2014.08.22.08

McAfee
Artemis!D17EA42F9649
5600.7030

MicroWorld eScan
Gen:Variant.Adware.SwiftBrowse.1
15.0.0.702

NANO AntiVirus
Trojan.Win32.BPlug.dcnjjv
0.28.2.61721

Panda Antivirus
Trj/Chgt.B
14.08.22.08

Qihoo 360 Security
Win32/Virus.Adware.e4c
1.0.0.1015

Reason Heuristics
PUP.Installer.sizlsearch.F
14.8.20.3

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.14820

Sophos
Generic PUA NH
4.98

SUPERAntiSpyware
Adware.BrowseFox/Variant
10405

Trend Micro House Call
Suspici.BBAC4570
7.2.234

VIPRE Antivirus
Threat.4741131
32210

File size:
2 MB (2,122,968 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\setup.exe

Digital Signature
Signed by:
sizlsearch

Authority:
VeriSign, Inc.

Valid from:
11/14/2013 1:00:00 AM

Valid to:
11/15/2014 12:59:59 AM

Subject:
CN=sizlsearch, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=sizlsearch, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
14A03B7644CA6A74D050BBD6188EAA95

File PE Metadata
Compilation timestamp:
12/5/2009 11:52:01 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:9rYqBu8Niplz0gozSfeY9wqWTv3oyIL09Rbu1jyq6p8y8p:9MqB/kplz0CfegwqW74ydHQCep

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 6F, 44, 00, E8, F1, 2B, 00, 00, A3, 84, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 2E, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9976

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.