Reason Labs

34.0.5.dll

Wander Burst

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The module 34.0.5.dll by Wander Burst has been detected as Adware.Yontoo.
Publisher:
Wander Burst  (signed and verified)

Version:
1.0.5672.35809

MD5:
fa0575c37014edf2b8ab02e3c1112e39

SHA-1:
1d293258c9061b45738b2ffc31d9461774062cae

SHA-256:
9156dfe49b82c7038eed9ef8fcc3bada5020da2cc6ed901c971ad2724af05cca

Detection:
Adware.Yontoo

Risk:
Medium

Explanation:
Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser.

Analysis date:
11/16/2018 1:09:04 PM UTC  (today)

File size:
30.7 KB (31,456 bytes)

Product version:
1.0.5672.35809

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\fccb0821-00ee-466c-acb5-2a5cec258511\plugins\7\resources\34.0.5.dll

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
6/19/2015 3:00:00 AM

Valid to:
6/19/2016 2:59:59 AM

Subject:
CN=Wander Burst, O=Wander Burst, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4A9C9001F9FFB60F7F507CDFCDC1B744

File PE Metadata
Compilation timestamp:
7/14/2015 5:53:42 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
768:62QhqMOlXGkWMhS3Ysy4qsAOZhd/T+uD2f:6FrKXGOS3Y3OZr9Ds

Entry address:
0x3844

Entry point:
8B, FF, 55, 8B, EC, 83, 7D, 0C, 01, 75, 05, E8, 2A, 05, 00, 00, FF, 75, 08, 8B, 4D, 10, 8B, 55, 0C, E8, CC, FE, FF, FF, 59, 5D, C2, 0C, 00, CC, FF, 25, 18, 51, 00, 10, FF, 25, 14, 51, 00, 10, 6A, 14, 68, C8, 5A, 00, 10, E8, 80, 04, 00, 00, FF, 35, D0, 75, 00, 10, 8B, 35, 30, 50, 00, 10, FF, D6, 89, 45, E4, 83, F8, FF, 75, 0C, FF, 75, 08, FF, 15, EC, 50, 00, 10, 59, EB, 64, 6A, 08, E8, 7D, 05, 00, 00, 59, 83, 65, FC, 00, FF, 35, D0, 75, 00, 10, FF, D6, 89, 45, E4, FF, 35, CC, 75, 00, 10, FF, D6, 89, 45, E0...
 
[+]

Characteristics:
0x8450

Code size:
12.5 KB (12,800 bytes)

34.0.5.dll is installed together with the following files.

Adware.Yontoo
38.0.5.dll  1.0.5672.35809  (0ac2d83c767862719884b611aa98b6901ffce95a)

Adware.Yontoo
39.0.0.dll  1.0.5672.35809  (ef6333176bd4936b46111fe7f6d3e2a416fae1d2)

There are numerous known code variantions that share the same compilation structure.

Adware.Yontoo.StrongSignal
34.0.5.dll  1.0.5669.3369  (c9fc82bdc47a1299c6ac8378f6a1538d1773e327)

Adware.Yontoo.GlassBottle
34.0.5.dll  1.0.5669.3357  (4815675cd9f529d5e7dc76f768ef75112fcbdf3e)

Adware.Yontoo.SaleClipper
34.0.5.dll  1.0.5669.1629  (9cd65afe19aa492e9e8da2718ad3981091213f34)

Adware.Yontoo.LuckyBright
34.0.5.dll  1.0.5669.1622  (d4494894bf9d94e31b317a018728e57203e811f7)

Adware.Yontoo.FilterResults
34.0.5.dll  1.0.5669.1595  (b6432f05e3d81cbbc62609ac814a65123f9e3a70)

Adware.Yontoo.JazzSpot
34.0.5.dll  1.0.5669.1580  (e5f091eb915d3e48466685c0109859b57039f98b)

Adware.Yontoo.RazorWeb
34.0.5.dll  1.0.5669.1578  (a76cb177e2a247598630b483242c5947ea8174b5)

Adware.Yontoo.StrongSignal
34.0.5.dll  1.0.5668.33973  (4358a6ec00674febed8ba7d25e17e71e0ee1beaf)

Adware.Yontoo.LuckyBright
34.0.5.dll  1.0.5668.32223  (1bcb9c46eb3344a28d4e1b95fee92a51ad12b7b9)

Adware.Yontoo.FilterResults
34.0.5.dll  1.0.5668.32194  (7839f3ff1d0bee8ac1562e439904ff4fb1fbd617)

Adware.Yontoo.RazorWeb
34.0.5.dll  1.0.5668.32182  (0d8a04c4cb6d7917f0e42be43256ab4169ad48d4)

Adware.Yontoo.DragonBranch
34.0.5.dll  1.0.5668.22458  (ae0bf49701fd884ed3fa41d6e1886253e058d0c4)

Adware.Yontoo.CandleJar
34.0.5.dll  1.0.5668.21116  (03db64494f4d6512b2a245c078eaadaace952751)

Adware.Yontoo.FilterResults
34.0.5.dll  1.0.5668.19446  (8b941f37a36cb0bbb1663de7e3fc04e9bc718e2f)

Adware.Yontoo.RazorWeb
34.0.5.dll  1.0.5668.19237  (4417baea9fdd3d9d73e390526605fb36736c3c28)

Adware.Yontoo.WanderBurst.Installer
setup.exe  (5d1e74a8de10817e6d0d1ae9dde9549a7529eb8b)

Adware.Yontoo
plugincontainer.exe  (790d2ee8d295f51d021a5a8ea65a275faaee7c05)

Adware.Yontoo
updater.exe  (a9d1a6e8d6ccc51ddbe55f7f2b444643e1ccd5fe)

Adware.Yontoo.WanderBurst
plugin.exe  (d3b5d012118cae0c9970dec2a74a611c6e325141)

Adware.Yontoo
0f4e02f8-f10e-493d-a1a7-3aed7ba7b110.dll  (484cb43a45a7c733d77899603361cb5d025eae92)

Adware.Yontoo
38.0.5.dll  (0ac2d83c767862719884b611aa98b6901ffce95a)

Adware.Yontoo
39.0.0.dll  (ef6333176bd4936b46111fe7f6d3e2a416fae1d2)

Adware.Yontoo.Installer
uninstaller.exe  (125fbecc8a0d732071beb7e1147949fa193621d9)

Download Reason Core Security - Powerful anti-malware software