× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 2cbf1f3d5ff59a9efa4ec5ae54b58c6451edc08f57f25bc97896de4741315cca
File name: TSULoader
Detection ratio: 20 / 55
Analysis date: 2016-02-24 08:28:40 UTC ( 5 months ago )
Antivirus Result Update
AVG Yontoo.EAF 20160224
AVware Yontoo (v) 20160224
AegisLab Adwareare.Yontoo.Gen!c 20160224
Yandex Adware.Yontoo!wyndF87Yrz8 20160221
Avira (no cloud) ADWARE/Yontoo.Gen 20160223
ClamAV Win.Adware.Yontoo-5 20160224
Comodo UnclassifiedMalware 20160224
DrWeb Adware.Plugin.964 20160224
ESET-NOD32 a variant of Win32/Adware.Yontoo.B 20160224
Fortinet Riskware/Yontoo 20160224
Ikarus Gen.Trojan.Heur 20160224
Malwarebytes PUP.Optional.Yontoo 20160224
NANO-Antivirus Riskware.Win32.Plugin.dtsizc 20160224
Qihoo-360 Win32/Trojan.845 20160224
Rising PE:Malware.Generic/QRS!1.9E2D [F] 20160224
Symantec PUA.Yontoo 20160223
Tencent Win32.Trojan.Multiple.Ammk 20160224
TotalDefense Win32/Yontoo!generic 20160223
VIPRE Yontoo (v) 20160224
Zillya Trojan.Agent2.Win32.25364 20160223
ALYac 20160224
Ad-Aware 20160224
AhnLab-V3 20160224
Antiy-AVL 20160224
Arcabit 20160224
Avast 20160224
Baidu-International 20160223
BitDefender 20160224
Bkav 20160223
ByteHero 20160224
CAT-QuickHeal 20160224
CMC 20160223
Cyren 20160224
Emsisoft 20160224
F-Prot 20160224
F-Secure 20160224
GData 20160224
Jiangmin 20160224
K7AntiVirus 20160224
K7GW 20160224
Kaspersky 20160224
McAfee 20160224
McAfee-GW-Edition 20160224
eScan 20160224
Microsoft 20160224
Panda 20160223
SUPERAntiSpyware 20160224
Sophos 20160224
TheHacker 20160222
TrendMicro 20160224
TrendMicro-HouseCall 20160224
VBA32 20160224
ViRobot 20160224
Zoner 20160224
nProtect 20160223
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (c) 2011 Yontoo LLC. All rights reserved.

Product Yontoo
Internal name TSULoader
File version 2011.12.22.1124
Description Installer
Comments WinNT (x86) Unicode
Signature verification Signed file, verified signature
Signing date 9:29 AM 2/24/2016
Signers
[+] Yontoo LLC
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Go Daddy Secure Certification Authority
Valid from 8:10 PM 5/9/2011
Valid to 8:10 PM 5/9/2012
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint DB1E387268ADBCAF799EDECDC143A6610E96842E
Serial number 07 E1 F9 EB CC C1 AC
[+] Go Daddy Secure Certification Authority
Status Valid
Issuer Go Daddy Class 2 Certification Authority
Valid from 2:54 AM 11/16/2006
Valid to 2:54 AM 11/16/2026
Valid usage All
Algorithm sha1RSA
Thumbprint 7C4656C3061F7F4C0D67B319A855F60EBC11FC44
Serial number 03 01
[+] Go Daddy Class 2 Certification Authority
Status Valid
Issuer Go Daddy Class 2 Certification Authority
Valid from 6:06 PM 6/29/2004
Valid to 6:06 PM 6/29/2034
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 2796BAE63F1801E277261BA0D77770028F20EEE4
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-03-11 02:55:32
Entry Point 0x00001627
Number of sections 5
PE sections
Overlays
MD5 a68c85e8197ec93309b0ddcf474c2be3
File type data
Offset 20480
Size 793456
Entropy 8.00
PE imports
GetLastError
HeapFree
CreateFileMappingW
OutputDebugStringW
GetSystemInfo
GetModuleFileNameW
GetVersionExW
GetExitCodeProcess
ExitProcess
GetFileAttributesW
lstrlenW
GetFileSize
SetFileTime
GetCommandLineW
MultiByteToWideChar
DeleteFileW
lstrcatW
GetProcessHeap
lstrcpynW
SetFilePointer
MapViewOfFile
GetModuleHandleA
ReadFile
GetTempPathW
CloseHandle
GetModuleHandleW
UnmapViewOfFile
WriteFile
CreateFileW
Sleep
SetFileAttributesW
HeapAlloc
GetProcAddress
GetCurrentProcessId
ShellExecuteExW
wvsprintfW
MessageBoxW
PeekMessageW
wsprintfW
MsgWaitForMultipleObjects
TranslateMessage
DispatchMessageW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
Number of PE resources by type
RT_ICON 3
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 6
Debug information
ExifTool file metadata
UninitializedDataSize
0

Comments
WinNT (x86) Unicode

LinkerVersion
8.0

ImageVersion
6.0

ProductName
Yontoo

FileVersionNumber
2011.12.22.1124

LanguageCode
Neutral

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
11776

FileSubtype
0

EntryPoint
0x1627

MIMEType
application/octet-stream

FileVersion
2011.12.22.1124

TimeStamp
2011:03:11 03:55:32+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
4.0

FileDescription
Installer

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Yontoo LLC

CodeSize
7680

Loader
n'PackageCode

ProductVersionNumber
1.10.2.0

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 7fb2e8450fd8fced99d908e11a4b5976
SHA1 314c9e8ae8f5482a2030b8862aeb0d12743dd0bc
SHA256 2cbf1f3d5ff59a9efa4ec5ae54b58c6451edc08f57f25bc97896de4741315cca
ssdeep
24576:gbfU+CBulfOTubNrKSkMl74yltDPkQdizG+d:d7By6uZK3qtDBkh

authentihash 2edecfca3e93005e4b2bc74034fc152733c741119c790d6204594e38c0d9f29f
imphash 37d42aa1fd7036e753cffeb6674fd69d
File size 794.9 KB ( 813936 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.5%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2012-01-03 15:02:55 UTC ( 4 years, 6 months ago )
Last submission 2012-11-14 21:29:37 UTC ( 3 years, 8 months ago )
File names YontooSetup.exe
TSULoader
876413897FB86B3219226E977504DD12 - YontooSetup.exe
314c9e8ae8f5482a2030b8862aeb0d12743dd0bc.bin
29D66764706833A86BB30C95B6E41C0009DC5E4E.exe
13264743283857636969
314C9E8AE8F5482A2030B8862AEB0D12743DD0BC
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/doc/pua.html .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!