adobe_flash_player-78233303.exe

All Team Interactive

The application adobe_flash_player-78233303.exe by All Team Interactive has been detected as a potentially unwanted program by 6 anti-malware scanners. The file has been seen being downloaded from intva31.castlerockcyberspace.info and multiple other hosts.
Publisher:
All Team Interactive  (signed and verified)

MD5:
cadf0b61382488ea899d70e59884d6d5

SHA-1:
6b6adccaa920ec6d11d706aca954cead4379f47b

SHA-256:
b9f1dffdc773979488286108e05829373c0c3f6f17e85d942a1e148d0a5da8e6

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Analysis date:
11/27/2024 4:49:29 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
2014.9-160709

Dr.Web
Trojan.Vittalia.12509
9.0.1.05190

IKARUS anti.virus
PUA.DownloadAdmin
t3scan.2.1.6.0

Kaspersky
not-a-virus:Downloader.Win32.DownloAdmin
14.0.0.-66

Qihoo 360 Security
QVM20.1.Malware.Gen
1.0.0.1120

Reason Heuristics
PUP.Vittallia.AllTeamI (M)
16.7.11.8

File size:
493.3 KB (505,120 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\adobe_flash_player-78233303.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
5/20/2016 1:20:39 AM

Valid to:
5/20/2017 1:20:39 AM

Subject:
CN=All Team Interactive, O=All Team Interactive, L=San Francisco, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00FF26C9A9BE826C7C

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
3.0

CTPH (ssdeep):
12288:5dALv+Mv3eWYKyR8KaAQ3jcGeh3XqNHTgHyMB7knZnl1/pBfUwbO:5GLv+kuZbR8KaAQ3jcXRatTgSMAlDBfW

Entry address:
0x3D2A0

Entry point:
C6, 05, 50, E2, 43, 00, 00, B9, 00, C0, 47, 00, BA, 04, C0, 47, 00, B8, 50, F8, 46, 00, E8, 65, FF, FF, FF, E8, 70, FF, FF, FF, B8, 30, F8, 46, 00, E8, E6, 3B, FD, FF, C3, 00, 00, 00, 00, 00, FF, FF, FF, FF, 00, 00, 00, 00, FF, FF, FF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.1754

Code size:
240.7 KB (246,496 bytes)

The file adobe_flash_player-78233303.exe has been seen being distributed by the following 21 URLs.

http://intva31.castlerockcyberspace.info/dl-pure/1203367/.../?bc=1203367&checksum=78342467&ephemeral=1&filename=adobe_flash_player.exe&cb=-631455191&hashstring=9PfgoQRWtFP6&usefilename=true&executableroutePath=1203981&stub=true

http://intva31.castlerockcyberspace.info/dl-pure/1203367/.../?bc=1203367&checksum=78421865&ephemeral=1&filename=adobe_flash_player.exe&cb=-897377182&hashstring=9PfgoQRWtFP6&usefilename=true&executableroutePath=1203981&stub=true

http://intva31.castlerockcyberspace.info/dl-pure/1203367/.../?bc=1203367&checksum=78613536&ephemeral=1&filename=adobe_flash_player.exe&cb=-423111511&hashstring=9PfgoQRWtFP6&usefilename=true&executableroutePath=1203981&stub=true

http://intva31.arrowheadsoup.info/dl-pure/1203367/.../?bc=1203367&checksum=79926618&ephemeral=1&filename=adobe_flash_player.exe&cb=1760897221&hashstring=45Gfwjid7sCB&usefilename=true&executableroutePath=1203981&stub=true

http://intva31.castlerockcyberspace.info/dl-pure/1203367/.../?bc=1203367&checksum=78483377&ephemeral=1&filename=adobe_flash_player.exe&cb=1521478211&hashstring=9PfgoQRWtFP6&usefilename=true&executableroutePath=1203981&stub=true

http://intva31.castlerockcyberspace.info/dl-pure/1203367/.../?bc=1203367&checksum=78415854&ephemeral=1&filename=adobe_flash_player.exe&cb=-1438544921&hashstring=9PfgoQRWtFP6&usefilename=true&executableroutePath=1203981&stub=true

http://intva31.castlerockcyberspace.info/dl-pure/1203367/.../?bc=1203367&checksum=78590894&ephemeral=1&filename=adobe_flash_player.exe&cb=-1550113183&hashstring=9PfgoQRWtFP6&usefilename=true&executableroutePath=1203981&stub=true

http://intva31.castlerockcyberspace.info/dl-pure/1203367/.../?bc=1203367&checksum=78485225&ephemeral=1&filename=adobe_flash_player.exe&cb=-563213577&hashstring=9PfgoQRWtFP6&usefilename=true&executableroutePath=1203981&stub=true

http://intva31.castlerockcyberspace.info/dl-pure/1203367/.../?bc=1203367&checksum=78430603&ephemeral=1&filename=adobe_flash_player.exe&cb=873000554&hashstring=9PfgoQRWtFP6&usefilename=true&executableroutePath=1203981&stub=true

http://intva31.castlerockcyberspace.info/dl-pure/1203367/.../?bc=1203367&checksum=78543210&ephemeral=1&filename=adobe_flash_player.exe&cb=1614049369&hashstring=9PfgoQRWtFP6&usefilename=true&executableroutePath=1203981&stub=true

http://intva31.castlerockcyberspace.info/dl-pure/1203367/.../?bc=1203367&checksum=78294419&ephemeral=1&filename=adobe_flash_player.exe&cb=976771610&hashstring=9PfgoQRWtFP6&usefilename=true&executableroutePath=1203981&stub=true

http://intva31.castlerockcyberspace.info/dl-pure/1203367/.../?bc=1203367&checksum=78309944&ephemeral=1&filename=adobe_flash_player.exe&cb=273746198&hashstring=9PfgoQRWtFP6&usefilename=true&executableroutePath=1203981&stub=true

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-52-6-18-250.compute-1.amazonaws.com  (52.6.18.250:80)

Remove adobe_flash_player-78233303.exe - Powered by Reason Core Security