flash_player.exe

The application flash_player.exe has been detected as a potentially unwanted program by 21 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from www.1freedown.com and multiple other hosts.
MD5:
47d95ff01f9a47691858bbeb5d562089

SHA-1:
79107cfb6dc28aae2b90535464684f518dce1c64

SHA-256:
0b829c3fe6941d9edcc0409479e9129d78196fcb59acb49c25947fede956f7e5

Scanner detections:
21 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
11/30/2024 11:26:30 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OutBrowse
7.1.1

avast!
Win32:PUP-gen [PUP]
2014.9-140423

AVG
MalSign.OutBrowse
2015.0.3496

Baidu Antivirus
Hacktool.Win32.OutBrowse
4.0.3.14423

Comodo Security
Application.Win32.OutBrowse.~A
18102

Dr.Web
Adware.Downware.1770
9.0.1.0113

ESET NOD32
Win32/OutBrowse (variant)
8.9672

G Data
Win32.Application.OutBrowse
14.4.24

IKARUS anti.virus
not-a-virus:Downloader.NSIS
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.176.11737

Kaspersky
not-a-virus:Downloader.NSIS.OutBrowse
14.0.0.3974

Malwarebytes
PUP.Optional.OutBrowse
v2014.04.23.02

McAfee
RDN/Generic PUP.x!bw3
5600.7152

NANO AntiVirus
Trojan.Win32.OutBrowse.csrlza
0.28.0.59048

Qihoo 360 Security
HEUR/Malware.QVM06.Gen
1.0.0.1015

Quick Heal
Trojan.NSIS.OutBrowse.b
4.14.12.00

Sophos
OutBrowse
4.98

Trend Micro House Call
TROJ_GEN.R0CBB01DC14
7.2.113

Vba32 AntiVirus
Downloader.OutBrowse
3.12.26.0

VIPRE Antivirus
OutBrowse
28214

XVirus List
Win32.Detected
2.4.23

File size:
616 KB (630,756 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\flash_player.exe

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:NxFyhCfsMntd1zdwVWyK1EzotWlj+kzVX0xp+lHTNo5uLMxHeXAkepYsq4R:NHyhCfsMtpwof1EzotWln3M6VXopa4R

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9788

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file flash_player.exe has been seen being distributed by the following 3 URLs.

Remove flash_player.exe - Powered by Reason Core Security