home

yolo01072013.exe

Yolobar

Visicom Media Inc.

This is part of the Visicom VMN web browser toolbar and extension that will modify the browser's default search provider, DNS, and home page functions. The application yolo01072013.exe, “Yolobar Installer” by Visicom Media has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from dl-2.kbm2.com.
Publisher:
Visicom Media Inc.  (signed and verified)

Product:
Yolobar

Description:
Yolobar Installer

Version:
1.0

MD5:
39ad40230c7242930db7e995cf88cbc6

SHA-1:
47a3713b387fdf1da63d4f357467231968f35aa4

SHA-256:
fb54a14b0eb7939fd8085e778156f733433a9081c78c5adbe601513d56aed091

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/26/2024 2:53:31 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.YolobarInstaller.VisicomMedia.M
14.10.1.11

File size:
2.1 MB (2,174,520 bytes)

Product version:
1.0.0.8

Copyright:
© Visicom Media Inc. (License)

Trademarks:
Visicom Media Inc., All Rights Reserved

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\yolo01072013.exe

Digital Signature
Signed by:
Visicom Media Inc.

Authority:
Thawte, Inc.

Valid from:
4/18/2012 12:00:00 AM

Valid to:
6/21/2014 11:59:59 PM

Subject:
CN=Visicom Media Inc., OU=SECURE APPLICATION DEVELOPMENT, O=Visicom Media Inc., L=Brossard, S=Quebec, C=CA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
2B19B54BB7ABEE1A2623111C029AF449

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:9CLbORLnd6hpbBk0Hj4YHj0JnTatvRBknZ/yu7qSiE:2aL+pFkYc+AJnTkBkn15

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9915

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file yolo01072013.exe has been seen being distributed by the following URL.

http://dl-2.kbm2.com/.../yolo01072013.exe

Remove yolo01072013.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.