home

download-adobe-flash-player.exe

Covus Pro GmbH

The application download-adobe-flash-player.exe by Covus Pro GmbH has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the Covus installer. The setup program uses the InstallCore monetization download manager to download additional third party applications that may be unwanted by the user. The file has been seen being downloaded from sda.pro.de.
Publisher:
Covus Pro GmbH  (signed and verified)

MD5:
aed3716f6cc6312d93c301f10abc0dda

SHA-1:
52284dfbc349a5957c9c8f6ef39e0f36ad9b814d

SHA-256:
9da204e92c690b0eafc3340caf3b5c69484bb6b41808bdf22ba6d318ca9023da

Scanner detections:
8 / 68

Status:
Adware

Explanation:
Includes bundled offers in the installer/download manager that include adware components such as Best-markit, and Search Protect (ClientConnect).

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/5/2024 2:26:26 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
PUA/DownloadGuide.Gen
7.11.216.120

AVG
Generic
2016.0.3076

ESET NOD32
Win32/DownloadGuide.E potentially unwanted application
9.7.0.302.0

herdProtect (fuzzy)
variant of appremover_cb-dl-manager.exe (PUP)
2015.6.16.16

Reason Heuristics
PUP.Bundler.Covus
15.3.10.11

Sophos
PUA 'Install Core Click run software'
5.12

VIPRE Antivirus
Threat.4150696
37788

File size:
364.1 KB (372,800 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Covus (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\download-adobe-flash-player.exe

Digital Signature
Signed by:
Covus Pro GmbH

Authority:
GoDaddy.com, Inc.

Valid from:
2/23/2015 2:53:38 PM

Valid to:
2/23/2016 2:53:38 PM

Subject:
CN=Covus Pro GmbH, O=Covus Pro GmbH, L=Berlin, C=DE

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
404873D3F4F98D31

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:sQqXgy+2yIudAgmi1YaiwLQHXOZKN7R1j/Z+VyKz+o902aGjG1bPBOQFF8kvlQgN:sg8yIuvmKHQvlRd/Z+QY98GERmUQgN

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file download-adobe-flash-player.exe has been seen being distributed by the following URL.

http://sda.pro.de/pro.php?pro=afp

Remove download-adobe-flash-player.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.