» setup.exe
Overview
Analysis
File Details
Network (3)

setup.exe

ToggleMark

This is the installer and setup program from the ToggleMark branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by ToggleMark has been detected as adware by 19 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.

File name:

setup.exe

Publisher:

ToggleMark (signed and verified)

MD5:

5b50884ad6bebbddee79be2185603cc7

SHA-1:

ebd8c2ce505ed251826bd457a8e8971aa00575a0

SHA-256:

6b022099e81d6a18d2797544f5824722f568b64c4a849b93da61a72ec20c097c

Scanner detections:

19 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

4/25/2024 11:36:48 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.SwiftBrowse.1

927

Agnitum Outpost

Riskware.Agent

7.1.1

AVG

BrowseFox

2015.0.3405

Bitdefender

Gen:Variant.Adware.SwiftBrowse.1

1.0.20.1020

Comodo Security

Application.Win32.Ciorik.RWLZ

18926

Dr.Web

Trojan.BPlug.108

9.0.1.0204

Emsisoft Anti-Malware

Gen:Variant.Adware.SwiftBrowse

8.14.07.23.09

ESET NOD32

Win32/BrowseFox (variant)

8.10130

Fortinet FortiGate

Riskware/BrowseFox

7/23/2014

F-Secure

Gen:Variant.Adware.SwiftBrowse.1

11.2014-23-07_4

IKARUS anti.virus

PUA.BrowseFox

t3scan.1.6.1.0

Malwarebytes

PUP.Optional.ToggleMark.A

v2014.07.23.09

McAfee

Artemis!B3DCE07EED12

5600.7061

MicroWorld eScan

Gen:Variant.Adware.SwiftBrowse.1

15.0.0.612

Reason Heuristics

PUP.Installer.ToggleMark.F

14.7.23.8

Rising Antivirus

NS:PUF.SilenceInstaller!1.9DDF

23.00.65.14721

SUPERAntiSpyware

Adware.BrowseFox/Variant

10466

Trend Micro House Call

Suspici.BBAC4570

7.2.204

VIPRE Antivirus

Trojan.Win32.Generic

31472

File size:

2 MB (2,102,496 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\setup.exe

Digital Signature

Signed by:

ToggleMark

Authority:

VeriSign, Inc.

Valid from:

2/4/2014 12:00:00 AM

Valid to:

2/4/2015 11:59:59 PM

Subject:

CN=ToggleMark, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=ToggleMark, L=Santa Monica, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

1E789CAD165E259708D9809CE2D90278

File PE Metadata

Compilation timestamp:

12/5/2009 10:52:01 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

49152:G0M9mr88Pz0gIrbARJKE00slFRvQyK4WRkE8d:FM9Rwz0ZbYKE008RvK4WRSd

Entry address:

0x30CB

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 6F, 44, 00, E8, F1, 2B, 00, 00, A3, 84, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 2E, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9975

Packer / compiler:

Nullsoft install system v2.x

Code size:

22.5 KB (23,040 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to wac.edgecastcdn.net (72.21.81.13:80)

TCP (HTTP):

Connects to service.yontoo.com (8.25.35.148:80)

TCP (HTTP):

Connects to api.yontoo.com (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.