home

yontoosetup.exe

Yontoo

Yontoo LLC

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application yontoosetup.exe by Yontoo has been detected as adware by 20 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from dl.yontoo.com. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Yontoo LLC  (signed and verified)

Product:
Yontoo

Description:
Installer

Version:
2013.5.17.1446

MD5:
932e3d21a38cc7adf9ce4e1f304d5dcf

SHA-1:
19a1b304d2c86284935a19799b8f325f1b24c132

SHA-256:
5840c4fbd75ee3a3798eef16de0f0ddf5817e7862adc22f7ed6f8864d0430426

Scanner detections:
20 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/25/2024 1:43:31 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Adware.Yontoo
7.1.1

Avira AntiVirus
ADWARE/Yontoo.Gen
7.11.98.36

AVG
AdInject.Yontoo
2014.0.3643

Baidu Antivirus
Adware.Win32.Agent
4.0.3.131211

Bkav FE
W32.Clod764.Trojan
1.3.0.4562

Boost by Reason
Optional.Yontoo.L
188838

Comodo Security
ApplicUnwnt
16821

Dr.Web
Adware.Plugin.11
9.0.1.0239

ESET NOD32
Win32/Adware.Yontoo (variant)
7.8726

F-Prot
W32/Adware.AKRV
v6.4.7.1.166

IKARUS anti.virus
AdWare.Yontoo
t3scan.2.0.127

K7 AntiVirus
Adware
13.170.9377

McAfee
Artemis!B1A9C17E5529
5600.7271

MicroWorld eScan
ADWARE/Yontoo.Gen
14.0.0.990

Reason Heuristics
PUP.Installer.Yontoo.L
14.8.7.17

Rising Antivirus
Trojan.InstallRex!562A
23.00.65.131124

Trend Micro House Call
TROJ_GEN.RCBH1ET13
7.2.239

Trend Micro
BKDR_BIFROSE.BMC
10.465.26

VIPRE Antivirus
Yontoo
20864

XVirus List
Win.Detected
2.3.31

File size:
1.1 MB (1,164,496 bytes)

Product version:
2.053

Copyright:
Copyright (c) 2013 Yontoo LLC. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\yontoosetup.exe

Digital Signature
Signed by:
Yontoo LLC

Authority:
VeriSign, Inc.

Valid from:
10/23/2012 5:00:00 PM

Valid to:
12/23/2013 3:59:59 PM

Subject:
CN=Yontoo LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Yontoo LLC, L=Carlsbad, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4A49FB7E6B0BCF398A1ACF39EA80D982

File PE Metadata
Compilation timestamp:
3/10/2011 6:55:32 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:KtL29VffN7kb1f3nr2mBSq6i4eTlzZ7/2DO92nkG3BhkG:mOVHN4b1f3rKvYlzxl2nzkG

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Entropy:
7.9957

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file yontoosetup.exe has been seen being distributed by the following URL.

http://dl.yontoo.com/Install/.../yontoosetup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove yontoosetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.