home

flash player.exe

TIKi TAKa

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application flash player.exe by TIKi TAKa has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from get.downward1209.info.
Publisher:
TIKi TAKa  (signed and verified)

MD5:
a0fe2b705c8b2dbe259df436846b50d9

SHA-1:
700e2c8f2ee14eb5ff5ba57522ff91ee08863843

SHA-256:
d377460217b4b87b7b58cdd93f9a182e4d33697a1bf48836b2da0de148e25ff3

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/27/2024 4:30:39 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.01.28

Avira AntiVirus
APPL/Downloader.Gen
7.11.205.128

AVG
Potentially harmful program Downloader.DHP
2014.0.4257

ESET NOD32
Win32/OutBrowse.BS potentially unwanted application
7.0.302.0

K7 AntiVirus
Trojan
13.192.14775

Kaspersky
not-a-virus:Downloader.NSIS.OutBrowse
15.0.0.543

Malwarebytes
PUP.Optional.OutBrowse.gen
v2015.01.27.02

McAfee
Program.Adware-OutBrowse.e
16.8.708.2

NANO AntiVirus
Trojan.Win32.OutBrowse.dmxjlz
0.30.0.65070

Reason Heuristics
PUP.Outbrowse
15.1.27.14

Trend Micro House Call
Suspici.1DA846D1
7.2.27

File size:
571.4 KB (585,096 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\flash player.exe

Digital Signature
Signed by:
TIKi TAKa

Authority:
thawte, Inc.

Valid from:
1/24/2015 6:00:00 PM

Valid to:
12/17/2015 5:59:59 PM

Subject:
CN=TIKi TAKa, O=TIKi TAKa, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
48DBE2A4F33AD90F2D5F895F2D0486FA

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:/ZHDuztb3lWD4ISTcCjnNDfc3LSTnSBLs2VMapvZN:/ZH+tb1uVY7T9cqSOwL

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9741

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file flash player.exe has been seen being distributed by the following URL.

http://get.downward1209.info/.../get20?p=19141&d=25268&l=24431&n=1&typ=&productname=Flash Player&filename=Flash Player&clickid=w1SSSDVUDOIKL5NHGDF9IQ0K

Remove flash player.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.