× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 2cbf1f3d5ff59a9efa4ec5ae54b58c6451edc08f57f25bc97896de4741315cca
File name: TSULoader
Detection ratio: 17 / 54
Analysis date: 2016-01-30 12:56:17 UTC ( 1 week, 3 days ago )
Antivirus Result Update
AVG Yontoo.EAF 20160130
Agnitum Adware.Yontoo!wyndF87Yrz8 20160129
Avira ADWARE/Yontoo.Gen 20160130
ClamAV Win.Adware.Yontoo-5 20160130
Comodo UnclassifiedMalware 20160130
DrWeb Adware.Plugin.964 20160130
ESET-NOD32 a variant of Win32/Adware.Yontoo.B 20160130
Fortinet Riskware/Yontoo 20160130
Ikarus Gen.Trojan.Heur 20160129
Malwarebytes PUP.Optional.Yontoo 20160130
NANO-Antivirus Riskware.Win32.Plugin.dtsizc 20160130
Qihoo-360 Win32/Trojan.845 20160130
Rising PE:Malware.Generic/QRS!1.9E2D [F] 20160129
Symantec PUA.Yontoo 20160129
TotalDefense Win32/Yontoo!generic 20160129
VIPRE Yontoo (v) 20160130
Zillya Trojan.Agent2.Win32.25364 20160130
ALYac 20160130
Ad-Aware 20160130
AegisLab 20160130
AhnLab-V3 20160129
Alibaba 20160129
Antiy-AVL 20160130
Arcabit 20160130
Avast 20160130
Baidu-International 20160129
BitDefender 20160130
Bkav 20160129
ByteHero 20160130
CAT-QuickHeal 20160129
CMC 20160130
Cyren 20160129
Emsisoft 20160130
F-Prot 20160129
F-Secure 20160129
GData 20160130
Jiangmin 20160129
K7AntiVirus 20160129
K7GW 20160129
Kaspersky 20160129
McAfee 20160130
McAfee-GW-Edition 20160130
MicroWorld-eScan 20160130
Microsoft 20160130
Panda 20160129
SUPERAntiSpyware 20160130
Sophos 20160130
TheHacker 20160130
TrendMicro 20160130
TrendMicro-HouseCall 20160130
VBA32 20160128
ViRobot 20160129
Zoner 20160130
nProtect 20160129
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (c) 2011 Yontoo LLC. All rights reserved.

Publisher Yontoo LLC
Product Yontoo
Internal name TSULoader
File version 2011.12.22.1124
Description Installer
Comments WinNT (x86) Unicode
Signature verification Signed file, verified signature
Signers
[+] Yontoo LLC
Status This certificate or one of the certificates in the certificate chain is not time valid.
Valid from 8:10 PM 5/9/2011
Valid to 8:10 PM 5/9/2012
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint DB1E387268ADBCAF799EDECDC143A6610E96842E
Serial number 07 E1 F9 EB CC C1 AC
[+] Go Daddy Secure Certification Authority
Status Valid
Valid from 2:54 AM 11/16/2006
Valid to 2:54 AM 11/16/2026
Valid usage All
Algorithm sha1RSA
Thumbprint 7C4656C3061F7F4C0D67B319A855F60EBC11FC44
Serial number 03 01
[+] Go Daddy Class 2 Certification Authority
Status Valid
Valid from 6:06 PM 6/29/2004
Valid to 6:06 PM 6/29/2034
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 2796BAE63F1801E277261BA0D77770028F20EEE4
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-03-11 02:55:32
Entry Point 0x00001627
Number of sections 5
PE sections
Overlays
MD5 a68c85e8197ec93309b0ddcf474c2be3
File type data
Offset 20480
Size 793456
Entropy 8.00
PE imports
GetLastError
HeapFree
CreateFileMappingW
OutputDebugStringW
GetSystemInfo
GetModuleFileNameW
GetVersionExW
GetExitCodeProcess
ExitProcess
GetFileAttributesW
lstrlenW
GetFileSize
SetFileTime
GetCommandLineW
MultiByteToWideChar
DeleteFileW
lstrcatW
GetProcessHeap
lstrcpynW
SetFilePointer
MapViewOfFile
GetModuleHandleA
ReadFile
GetTempPathW
CloseHandle
GetModuleHandleW
UnmapViewOfFile
WriteFile
CreateFileW
Sleep
SetFileAttributesW
HeapAlloc
GetProcAddress
GetCurrentProcessId
ShellExecuteExW
wvsprintfW
MessageBoxW
PeekMessageW
wsprintfW
MsgWaitForMultipleObjects
TranslateMessage
DispatchMessageW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
Number of PE resources by type
RT_ICON 3
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 6
Debug information
ExifTool file metadata
UninitializedDataSize
0

Comments
WinNT (x86) Unicode

LinkerVersion
8.0

ImageVersion
6.0

ProductName
Yontoo

FileVersionNumber
2011.12.22.1124

LanguageCode
Neutral

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
11776

FileSubtype
0

EntryPoint
0x1627

MIMEType
application/octet-stream

FileVersion
2011.12.22.1124

TimeStamp
2011:03:11 03:55:32+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
4.0

FileDescription
Installer

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Yontoo LLC

CodeSize
7680

Loader
n'PackageCode

ProductVersionNumber
1.10.2.0

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 7fb2e8450fd8fced99d908e11a4b5976
SHA1 314c9e8ae8f5482a2030b8862aeb0d12743dd0bc
SHA256 2cbf1f3d5ff59a9efa4ec5ae54b58c6451edc08f57f25bc97896de4741315cca
ssdeep
24576:gbfU+CBulfOTubNrKSkMl74yltDPkQdizG+d:d7By6uZK3qtDBkh

authentihash 2edecfca3e93005e4b2bc74034fc152733c741119c790d6204594e38c0d9f29f
imphash 37d42aa1fd7036e753cffeb6674fd69d
File size 794.9 KB ( 813936 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.5%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2012-01-03 15:02:55 UTC ( 4 years, 1 month ago )
Last submission 2012-11-14 21:29:37 UTC ( 3 years, 2 months ago )
File names YontooSetup.exe
TSULoader
876413897FB86B3219226E977504DD12 - YontooSetup.exe
314c9e8ae8f5482a2030b8862aeb0d12743dd0bc.bin
29D66764706833A86BB30C95B6E41C0009DC5E4E.exe
13264743283857636969
314C9E8AE8F5482A2030B8862AEB0D12743DD0BC
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/doc/pua.html .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!