flash player.exe

Flash Player

Download Assistant

This is part of the Air Installer, a download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application flash player.exe by Download Assistant has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the AirInstaller Download Manager installer. The file has been seen being downloaded from download.easydl.net.
Publisher:
Download Assistant  (signed and verified)

Product:
Flash Player

Version:
3.0.0.152

MD5:
2f1566d7b3a6e998c4c32b2e513cbde4

SHA-1:
f13f1937d2ef97dbd9a36f8a372c830730b4b221

SHA-256:
dde330aa3cca8159760fc23b7637dcffd7f328b3744df73f7a3bddffed89991a

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/16/2024 7:52:43 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Air Software.Download.Bundler (M)
16.4.2.15

File size:
1.1 MB (1,135,200 bytes)

Product version:
3.0.0.152

Copyright:
(c) Download Assistant

File type:
Executable application (Win32 EXE)

Bundler/Installer:
AirInstaller Download Manager

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\flash player.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
1/26/2016 12:00:00 AM

Valid to:
3/27/2017 12:59:59 AM

Subject:
CN=Download Assistant, O=Download Assistant, L=Victoria, S=British Columbia, C=CA

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
1278A8BBE7E82E656B1FD4779E9BC2F0

File PE Metadata
Compilation timestamp:
1/30/2013 2:21:56 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:rxGnltkCrHOMKk6XchK8TYbq0IUaogosro+66QruyrYkLvBV:ExruMgyT2qot7KyrYs

Entry address:
0x113BC

Entry point:
55, 8B, EC, 83, C4, A4, 53, 56, 57, 33, C0, 89, 45, C4, 89, 45, C0, 89, 45, A4, 89, 45, D0, 89, 45, C8, 89, 45, CC, 89, 45, D4, 89, 45, D8, 89, 45, EC, B8, 2C, 00, 41, 00, E8, E8, 51, FF, FF, 33, C0, 55, 68, 9E, 1A, 41, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 5A, 1A, 41, 00, 64, FF, 32, 64, 89, 22, A1, 48, 5B, 41, 00, E8, 16, D8, FF, FF, E8, 65, D3, FF, FF, 80, 3D, DC, 2A, 41, 00, 00, 74, 0C, E8, 2B, D9, FF, FF, 33, C0, E8, 80, 32, FF, FF, 8D, 55, EC, 33, C0, E8, E2, A3, FF, FF, 8B, 55, EC, B8, 50, 86...
 
[+]

Entropy:
6.9579

Developed / compiled with:
Microsoft Visual C++

Code size:
65.5 KB (67,072 bytes)

The file flash player.exe has been seen being distributed by the following URL.

Remove flash player.exe - Powered by Reason Core Security