adobe_flash_setup-133017570.exe

CertFreeCertificateContext

Bicoastal Interactive

The file adobe_flash_setup-133017570.exe by Bicoastal Interactive has been detected as a potentially unwanted program by 15 anti-malware scanners. The file has been seen being downloaded from intva31.bloggingmedallion.info and multiple other hosts.
Publisher:
Bicoastal Interactive  (signed and verified)

Product:
CertFreeCertificateContext

Version:
9.14.157.518

MD5:
b815a6390ffcc4f054cda4a7f168cc00

SHA-1:
75693831a8f489c78be0abaf42159d6d33b631bd

SHA-256:
18b618115a9b6d31fdf5b83596a71d9032a1478c195db3a4dc3826e4ecfd806a

Scanner detections:
15 / 68

Status:
Potentially unwanted

Analysis date:
11/5/2024 2:44:11 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.DownloadAdmin.R195114
3.8.3.16

Avira AntiVirus
TR/Siggen.gkdsw
8.3.3.4

avast!
Win32:Rootkit-gen [Rtk]
2014.9-170226

Baidu Antivirus
Win32.Trojan.WisdomEyes.16070401.9500
4.0.3.17226

Bkav FE
W32.HfsAdware
1.3.0.8871

Comodo Security
Application.Win32.DownloadAdmin.Y
26663

Dr.Web
Trojan.Siggen7.10262
9.0.1.057

Emsisoft Anti-Malware
Application.AdLoad
8.17.02.26.06

IKARUS anti.virus
PUA.DownloadAdmin.Aa
0.2.1.2

McAfee
GenericRXAZ-EG!B815A6390FFC
5600.6111

Qihoo 360 Security
HEUR/QVM10.1.0000.Malware.Gen
1.0.0.1120

Reason Heuristics
PUP.DownloadAdmin (M)
17.2.26.18

SUPERAntiSpyware
PUP.DownloadAdmin/Variant
8567

Vba32 AntiVirus
Signed-Downware.DownloadAdmin
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
56262

File size:
139.8 KB (143,144 bytes)

Product version:
7.12.96.910

Copyright:
Copyright (C) 2014 Default Browserpos

Original file name:
Taskbar.exe

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\adobe_flash_setup-133017570.exe.zhvax5q.partial

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
5/19/2016 10:50:40 PM

Valid to:
5/19/2017 10:50:40 PM

Subject:
CN=Bicoastal Interactive, O=Bicoastal Interactive, L=San Francisco, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
0096C56AE03C38A570

File PE Metadata
Compilation timestamp:
11/29/2016 6:25:48 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x79BD

Entry point:
E8, BC, 36, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, EC, C4, 41, 00, FF, 15, D0, 50, 41, 00, 85, C0, 75, 18, 56, E8, 0E, 10, 00, 00, 8B, F0, FF, 15, BC, 50, 41, 00, 50, E8, 13, 10, 00, 00, 59, 89, 06, 5E, 5D, C3, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A1, CC, B8, 41, 00, 33, C5, 89, 45, FC, 83, 7D, 08, FF, 57, 74, 09, FF, 75, 08, E8, C3, 3D, 00, 00, 59, 83, A5, E0, FC, FF, FF, 00, 8D, 85, E4, FC, FF, FF, 6A, 4C, 6A, 00, 50, E8, B7, 3D, 00, 00, 8D, 85, E0, FC...
 
[+]

Code size:
77.5 KB (79,360 bytes)

The file adobe_flash_setup-133017570.exe has been seen being distributed by the following 4 URLs.

http://intva31.bloggingmedallion.info/dl-pure/1205333/.../?bc=1205333&checksum=133040023&ephemeral=1&filename=adobe_flash_setup.exe&cb=-1821882480&hashstring=58b31d6ad384b&usefilename=true&executableroutePath=1205085&stub=true

http://intva31.bloggingmedallion.info/dl-pure/1205333/.../?bc=1205333&checksum=133041696&ephemeral=1&filename=adobe_flash_setup.exe&cb=-95609116&hashstring=58b31d6ad384b&usefilename=true&executableroutePath=1205085&stub=true

http://intva31.bloggingmedallion.info/dl-pure/1205333/.../?bc=1205333&checksum=133056539&ephemeral=1&filename=adobe_flash_setup.exe&cb=-1584944412&hashstring=58b31d6ad384b&usefilename=true&executableroutePath=1205085&stub=true

http://intva31.bloggingmedallion.info/dl-pure/1205333/.../?bc=1205333&checksum=133039941&ephemeral=1&filename=adobe_flash_setup.exe&cb=-204670299&hashstring=58b31d6ad384b&usefilename=true&executableroutePath=1205085&stub=true

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-6-18-250.compute-1.amazonaws.com  (52.6.18.250:80)

TCP (HTTP):
Connects to blk-237-115-18.eastlink.ca  (173.237.115.18:80)

TCP (HTTP):
Connects to post.securestudies.com  (165.193.78.234:80)

TCP (HTTP):
Connects to blk-237-115-19.eastlink.ca  (173.237.115.19:80)

TCP (HTTP SSL):
Connects to a23-203-119-127.deploy.static.akamaitechnologies.com  (23.203.119.127:443)

TCP (HTTP):
Connects to a23-200-86-142.deploy.static.akamaitechnologies.com  (23.200.86.142:80)

TCP (HTTP):
Connects to www.turktelekom.com.tr  (195.175.114.226:80)

TCP (HTTP):
Connects to rlchq901.ghanatel.com.gh  (80.87.65.83:80)

TCP (HTTP):
Connects to a41-206-100-16.deploy.akamaitechnologies.com  (41.206.100.16:80)

TCP (HTTP):
Connects to net-inst-ash.opera.com  (37.228.108.239:80)

TCP (HTTP):
Connects to host-213.158.175.90.tedata.net  (213.158.175.90:80)

TCP (HTTP):
Connects to host-213.158.175.82.tedata.net  (213.158.175.82:80)

TCP (HTTP SSL):
Connects to a95-100-52-37.deploy.akamaitechnologies.com  (95.100.52.37:443)

TCP (HTTP):
Connects to a41-206-100-17.deploy.akamaitechnologies.com  (41.206.100.17:80)

TCP (HTTP SSL):
Connects to a104-92-201-113.deploy.static.akamaitechnologies.com  (104.92.201.113:443)

TCP (HTTP SSL):
Connects to a104-109-150-52.deploy.static.akamaitechnologies.com  (104.109.150.52:443)

Remove adobe_flash_setup-133017570.exe - Powered by Reason Core Security