home

setup.exe

InstallVibes

This is the installer and setup program from the InstallVibes branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by InstallVibes has been detected as adware by 15 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software.
Publisher:
InstallVibes  (signed and verified)

Version:
1.9.6.11

MD5:
711f3bbe6f3b80213405e3c88f0a7d3b

SHA-1:
eea1c2189c9edf85c8a50e9f46474b9a2cfac3b6

Scanner detections:
15 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
5/14/2024 2:47:53 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
SPR/Dldr.Agent.butn
7.11.153.42

AVG
Bundlo
2015.0.3452

Baidu Antivirus
Adware.Win32.Bundlore
4.0.3.1465

Comodo Security
UnclassifiedMalware
18436

ESET NOD32
Win32/TrojanDownloader.Adload.NMZ
8.9894

Fortinet FortiGate
Riskware/Agent
6/5/2014

IKARUS anti.virus
PUA.Bundleore
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.1712305

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.3755

Panda Antivirus
Trj/OCJ.F
14.06.05.10

Quick Heal
Downloader.Agent.r8 (Not a Virus)
6.14.14.00

Reason Heuristics
PUP.Installer.InstallVibes.F
14.6.5.22

Sophos
Bundlore
4.98

Trend Micro House Call
TROJ_GEN.F47V0527
7.2.156

VIPRE Antivirus
Bundlore
29940

File size:
743.9 KB (761,776 bytes)

Product version:
1.9.6.11

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Documents and Settings\{user}\Local settings\temp\{random}.tmp\setup.exe

Digital Signature
Signed by:
InstallVibes

Authority:
COMODO CA Limited

Valid from:
3/19/2014 6:00:00 PM

Valid to:
3/19/2016 5:59:59 PM

Subject:
CN=InstallVibes, O=InstallVibes, STREET=Ehad Haam 21 St., L=Tel Aviv, S=Israel, PostalCode=6515103, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F29201EBC1EAD2B751F2854AD68C6244

File PE Metadata
Compilation timestamp:
2/4/2013 11:24:57 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:qSxG0QgX/d4BL8+iDhjZnpLrjCi6HENPMgb4idK8Q+oP3Fm0WBeKa4Xf7i:hxGfQA8jj2i6HgfpdotkK

Entry address:
0x113BC

Entry point:
55, 8B, EC, 83, C4, A4, 53, 56, 57, 33, C0, 89, 45, C4, 89, 45, C0, 89, 45, A4, 89, 45, D0, 89, 45, C8, 89, 45, CC, 89, 45, D4, 89, 45, D8, 89, 45, EC, B8, 2C, 00, 41, 00, E8, E8, 51, FF, FF, 33, C0, 55, 68, 9E, 1A, 41, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 5A, 1A, 41, 00, 64, FF, 32, 64, 89, 22, A1, 48, 5B, 41, 00, E8, 16, D8, FF, FF, E8, 65, D3, FF, FF, 80, 3D, DC, 2A, 41, 00, 00, 74, 0C, E8, 2B, D9, FF, FF, 33, C0, E8, 80, 32, FF, FF, 8D, 55, EC, 33, C0, E8, E2, A3, FF, FF, 8B, 55, EC, B8, 50, 86...
 
[+]

Entropy:
7.9314

Developed / compiled with:
Microsoft Visual C++

Code size:
63.5 KB (65,024 bytes)

The file setup.exe has been seen being distributed by the following 2 URLs.

http://lp.downloadsrv13.com/.../setup.exe

http://download.downloadsrv14.com/download/.../VideoDownloader.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.