Reason Labs

plugin.exe

UrTurn Filter

The application plugin.exe by UrTurn Filter has been detected as Adware.Yontoo.
Publisher:
UrTurn Filter  (signed and verified)

Version:
1.0.6283.9820

MD5:
429971098543326be9c80e738592c20f

SHA-1:
5f54674951f4f432d4a7fbad153dd6270735ead6

SHA-256:
cedf39f68e2e7dc5e708fb02acad7c8fb457295c4c8540b6a0cc2554bf8c282d

Detection:
Adware.Yontoo

Risk:
Medium

Explanation:
Part of the Yontoo adware component, a web browser plugin that injects unwanted ads, coupon offers and popups in the browser.

Analysis date:
12/15/2018 11:07:15 PM UTC  (a few moments ago)

File size:
1.1 MB (1,188,576 bytes)

Product version:
1.0.6283.9820

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\ProgramData\4f596ec3-77fb-4fc3-82cb-691c42c71d77\plugins\5\plugin.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
3/30/2016 3:00:00 AM

Valid to:
3/31/2017 2:59:59 AM

Subject:
CN=UrTurn Filter, O=UrTurn Filter, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
21E2C60F629BAA3348D6DD5C817D4E79

File PE Metadata
Compilation timestamp:
3/15/2017 2:30:50 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x17188A

Entry point:
E8, 12, 22, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, 70, A6, 70, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, 78, 07, 70, 00, 01, 0F, 82, 05, 23, 01, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03...
 
[+]

Entropy:
6.5440

Characteristics:
0x258

Code size:
979.5 KB (1,003,008 bytes)

Properties
Integrity level:
16384

There are numerous known code variantions that share the same compilation structure.

Adware.Yontoo
plugin.exe  1.0.6283.42365  (cf4c58bab8192eea72390fc080b11c4641482454)

Adware.Yontoo
plugin.exe  1.0.6283.37226  (5969cf9142682a96b706b4dbe10962a227b785f6)

Adware.Yontoo
plugin.exe  1.0.6283.37226  (879c47856c2e291f327d6c536d0bc7381922ab1f)

Adware.Yontoo
plugin.exe  1.0.6283.37226  (4087616519ae6acb4351e54e2a27420b462785b2)

Adware.Yontoo
plugin.exe  1.0.6283.27948  (349339df7aa80094eddce386fdb2ac42521e4b63)

Adware.Yontoo
plugin.exe  1.0.6283.27948  (fa198685230d48e71b34b4c0bed02a86460c48f8)

Adware.Yontoo
plugin.exe  1.0.6283.27948  (f852cbbdde9480796c072586e99237cda105d3f6)

Adware.Yontoo
plugin.exe  1.0.6283.27948  (e717aaccc2cafe2438a3de48184c110e2abf5ae0)

Adware.Yontoo
plugin.exe  1.0.6283.9820  (b59de85160cad1990d8d55cfea2947c4d8971b5b)

Adware.Yontoo
plugin.exe  1.0.6283.1039  (1509b29d3c5fba777955e62ac0c9869aa192641a)

Adware.Yontoo
plugin.exe  1.0.6283.1039  (7a4cb5b18abeec79eb1ebb46b4c90e0ef6cbecf3)

Adware.Yontoo
plugin.exe  1.0.6282.8071  (e92779cbe2d571614558a3c9669f88bdfac5b48b)

Adware.Yontoo
plugin.exe  1.0.6281.15264  (ebd5ed06dce57a2ca498b51e0f3c79c7b7c5f2a9)

Adware.Yontoo
plugin.exe  1.0.6262.8815  (241149f5c62c4731314ebbe889ab91547dff1de5)

Adware.Yontoo
plugin.exe  1.0.6261.43045  (6232cfb0b9450aaf1be2d8074af0986fb68161c2)

Adware.Yontoo.RE
plugincontainer.exe  (f693a1dfa44930f6e1b3500eab1d0a198a78b8c4)

Adware.Yontoo
updater.exe  (5523507389cf14f233098f2f687050f9375c50d9)

Adware.Yontoo.RE
{94583c35-f843-48a4-8f50-228a7ac5df1c}.dll  (fb9310048d265783e789da8ee05893d5e8395bc3)

Adware.Yontoo.RE
{33534a9d-44c1-4ee2-83ef-edc85104b098}.dll  (36bd53762dd7fb37ffbeb226c8df7a9812a83dd8)

Download Reason Core Security - Powerful anti-malware software