home

setup.exe

InstallVibes

This is the installer and setup program from the InstallVibes branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by InstallVibes has been detected as adware by 24 anti-malware scanners. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
InstallVibes  (signed and verified)

MD5:
b589d5d7c50a45ffdbdfdbde6409cf91

SHA-1:
e8ca05980a1a41e445ef1cd9a75bf8af288767cf

SHA-256:
a559505afdd0b9acec29bf6fef2b3326b2e20aa3f3417a01347aaeb69822c38b

Scanner detections:
24 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/25/2024 6:38:17 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.12390499
6475091

AhnLab V3 Security
Win-PUP/Bundlore
2015.01.29

Avira AntiVirus
TR/Dropper.Gen
7.11.205.178

avast!
Trojan-gen
150126-0

AVG
Bundlo
2016.0.3215

Bitdefender
Trojan.Generic.12390499
1.0.20.140

Clam AntiVirus
Win.Trojan.Bundlore-20
0.98/19988

Comodo Security
Application.Win32.Bundlore.C
20877

Emsisoft Anti-Malware
Trojan.Generic.12390499
9.0.0.4799

ESET NOD32
Win32/Bundlore.G potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/Generic.AC.2238364
1/28/2015

F-Prot
W32/A-08050b59
v6.4.7.1.166

F-Secure
Trojan.Generic.12390499
5.13.68

G Data
Trojan.Generic.12390499
15.1.25

K7 AntiVirus
Unwanted-Program
13.193.14786

Kaspersky
not-a-virus:Downloader.Win32.InstallVibe
15.0.0.543

Malwarebytes
PUP.Optional.Bundlore
v2015.01.28.01

McAfee
Program.PUP-FDC
16.8.708.2

MicroWorld eScan
Trojan.Generic.12390499
16.0.0.84

nProtect
Trojan.Generic.12390499
15.01.28.01

Panda Antivirus
Trj/Genetic.gen
15.01.28.01

Reason Heuristics
PUP.Installer.Yontoo
15.1.28.13

Sophos
PUA 'Bundlore'
5.09

VIPRE Antivirus
Threat.4754986
36694

File size:
315.3 KB (322,816 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
InstallVibes

Authority:
COMODO CA Limited

Valid from:
3/19/2014 5:00:00 PM

Valid to:
3/19/2016 4:59:59 PM

Subject:
CN=InstallVibes, O=InstallVibes, STREET=Ehad Haam 21 St., L=Tel Aviv, S=Israel, PostalCode=6515103, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F29201EBC1EAD2B751F2854AD68C6244

File PE Metadata
Compilation timestamp:
6/1/2014 4:31:03 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
6144:9yytIIyqLbii5bkgVuN+xSKV7Wkrsf7LsZ6RNRBu+:9yytIIPXikbkgaISKVYRbBH

Entry address:
0x345D

Entry point:
E8, 5A, 4C, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, B0, 6B, 41, 00, E8, DD, 2B, 00, 00, E8, 2B, 4E, 00, 00, 0F, B7, F0, 6A, 02, E8, ED, 4B, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, AB, 43, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.8393

Code size:
62.5 KB (64,000 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.