Reason Labs

plugincontainer.exe

Sub Suit

The application plugincontainer.exe by Sub Suit has been detected as Adware.Yontoo. It runs as a separate (within the context of its own process) windows Service named “Service Mgr DigitalMore”.
Publisher:
Sub Suit  (signed and verified)

Version:
1.0.6284.4445

MD5:
08961463d7c3e1834acae9daf44bc7ab

SHA-1:
2b0a61e582d7b0c415110cddc0d0b231c9025969

SHA-256:
0d9095e15af54d86cd189109d6f505df5883891fe89edaabba7d7b27db58df42

Detection:
Adware.Yontoo

Risk:
Medium

Explanation:
Part of the Yontoo adware component, a web browser plugin that injects unwanted ads, coupon offers and popups in the browser.

Analysis date:
12/15/2018 10:08:23 PM UTC  (today)

File size:
820.9 KB (840,632 bytes)

Product version:
1.0.6284.4445

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\8708eaaa-1c2b-4faa-8923-a6c9f88eeb0e\plugincontainer.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
11/2/2016 2:00:00 AM

Valid to:
11/8/2017 1:59:59 AM

Subject:
CN=Sub Suit, O=Sub Suit, L=Los Angeles, S=California, C=US

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
6BFB81D4F5B18E6091DC517DEF64E096

File PE Metadata
Compilation timestamp:
3/16/2017 11:28:31 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

Entry address:
0x6DEFF

Entry point:
E8, 99, 07, 00, 00, E9, 80, FE, FF, FF, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, BF, F4, FF, FF, F2, E9, DA, FF, FF, FF, 8B, 4D, EC, 33, CD, F2, E8, AE, F4, FF, FF, F2, E9, C9, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, 00, 4E, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24...
 
[+]

Characteristics:
0x258

Code size:
648 KB (663,552 bytes)

Properties
Services:
Service Mgr DigitalMore

Service
Display name:
Service Mgr DigitalMore

Type:
Win32OwnProcess

Depends on:
RPCSS


There are numerous known code variantions that share the same compilation structure.

Adware.Yontoo
plugincontainer.exe  1.0.6284.4455  (903a07f352fe74d1bad7b9f2127ef1a8abac3770)

Adware.Yontoo
plugincontainer.exe  1.0.6284.4455  (2a3a24c587b043e5f1a957720c87a2b769d5566a)

Adware.Yontoo
plugincontainer.exe  1.0.6284.4455  (6aa23ea4de864aa9a694ddc69a216c1b2c40e1c3)

Adware.Yontoo
plugincontainer.exe  1.0.6284.4455  (3f20879a72ed2428794a762d8a93ae8554b1322b)

Adware.Yontoo
plugincontainer.exe  1.0.6284.4455  (229bd5ec097151be284105875ed7da48d3078b8c)

Adware.Yontoo
plugincontainer.exe  1.0.6284.4455  (a89390e9fcc94c8711a4e110322e6d3380c8d7c9)

Adware.Yontoo
plugincontainer.exe  1.0.6284.4455  (431ea8e282b1326d48ed1faa3aad000bc4b9cb85)

Adware.Yontoo
plugincontainer.exe  1.0.6284.4455  (864c2dc1baed05342d41f60478ae18baf50be8fc)

Adware.Yontoo
plugincontainer.exe  1.0.6284.4455  (4f114f86d4c248814ea32ee017604e6d90c7879c)

Adware.Yontoo
plugincontainer.exe  1.0.6284.4445  (69eace463ea1df699f6ad75b04a1213c628f3836)

Adware.Yontoo
plugincontainer.exe  1.0.6283.38655  (a5fb2a7a86c7572096c2ade333e9cfd10fb5c03f)

Adware.Yontoo
plugincontainer.exe  1.0.6283.2631  (cb8a81dd59d90681bf9b4bf8d53d8a0990a5ee30)

Adware.Yontoo
plugincontainer.exe  1.0.6283.2631  (bcab3b344231cb7a4606c74b6567d65d8b0d0a87)

Adware.Yontoo
plugincontainer.exe  1.0.6282.9818  (c51caf5859fece98ee2c71556bcb9e8bfc8ab278)

Adware.Yontoo
plugincontainer.exe  1.0.6280.15214  (92486cc8658d6ad97a5e7afee8f9b2d2d0446301)

Adware.Yontoo.Plugin
plugin.exe  (02e163dc24575c09b48900c4849a5f9dab81e539)

Threat.Generic.Variant.SubSuit
updater.exe  (de1d3fe27647087b87ee2d1a5c5107de1098da86)

Threat.Generic.Variant.SubSuit
{48333c25-37fa-4d4d-a4b1-a35b4586e36e}.dll  (e5c06cd89bf8b4f57647f2e95fdb885771812458)

Threat.Generic.Variant.SubSuit
{5330167d-bf3c-4e71-a017-85fb43a1e2dc}.dll  (6a9a21a5afa11295a4aad1f810d16a5f35059d2e)

PUP.Browser.Extension
{89f9832b-b6a9-49ad-9bf0-f35a508a56e0}.xpi  (72124404707982730d91b7586cd65e33bc85f49b)

Threat.Generic.Variant.SubSuit
{8d1df42b-7cbb-47bf-a3b0-02f9dd7f89b2}.dll  (6877fbb82443c59ae610c7288473c4885bee8872)

PUP.Browser.Extension
{954cffc6-2ce8-4b56-9b22-8e8de28b0430}.xpi  (42debad883d651809d548188154678c03be33e92)

Threat.Generic.Variant.SubSuit
{e2ecac2a-b1d3-412c-a22c-0845fde82791}.dll  (badc9c5474e6d20463c0194b1f39aee0d4c9b5a5)

Download Reason Core Security - Powerful anti-malware software