home

yontooclientsetup.exe

Yontoo Layers Client

Yontoo Technology, Inc.

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application yontooclientsetup.exe by Yontoo Technology has been detected as adware by 2 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from download.yontoo.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Yontoo Technology, Inc.  (signed and verified)

Product:
Yontoo Layers Client

Description:
Installer

Version:
2010.10.14.1056

MD5:
8bcfed8d826fac7ad2440d74aa5e8336

SHA-1:
c519aa659c51922bbc5fc1f4961cb6b220c4a4c9

SHA-256:
5b9fc8c89352089e8e641df8bc8ba1b147bcaf3e9dd08ab07134a4f22d3caa2c

Scanner detections:
2 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
5/8/2024 1:51:59 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Installer.YontooTechnology.R
14.7.5.2

VIPRE Antivirus
Yontoo
8973

File size:
597.5 KB (611,832 bytes)

Product version:
1.10.01

Copyright:
Copyright (c) 2010 Yontoo Technology, Inc.. All rights reserved

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\yontooclientsetup.exe

Digital Signature
Signed by:
Yontoo Technology, Inc.

Authority:
GoDaddy.com, Inc.

Valid from:
9/2/2009 1:41:20 PM

Valid to:
9/2/2012 1:41:20 PM

Subject:
CN="Yontoo Technology, Inc.", OU=Product Development, O="Yontoo Technology, Inc.", L=Carlsbad, S=CA, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
6A08909DDA7B

File PE Metadata
Compilation timestamp:
8/19/2010 7:08:13 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:EIvTXHYtHmwM4az4Gn+8pjOKGsvOOFkPL+UIy9z632cERN+xVGfvDbyf4fH:zX6mws4GnJlWmkPLxI/3NSfqE

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file yontooclientsetup.exe has been seen being distributed by the following URL.

http://download.yontoo.com/YontooClientSetup.Exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove yontooclientsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.