flashplayer__4369_i1020197088_il26.exe

The application flashplayer__4369_i1020197088_il26.exe has been detected as a potentially unwanted program by 30 anti-malware scanners. This is a setup program which is used to install the application. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.more-files.com and multiple other hosts.
Version:
1.1.6.20

MD5:
891b25ef2a59d96ed40ef9189d1d04c4

SHA-1:
03d2d5492aa0ff3b1675f9dce4293a37cabaa596

SHA-256:
dfcf4cd11b894a35457e52ae23cafb99b8391d41f3b5232159f12ad5b2968926

Scanner detections:
30 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 12:42:38 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Generic.679898
834

Agnitum Outpost
PUA.Amonetize
7.1.1

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.09.01

Avira AntiVirus
ADWARE/Adware.Gen
7.11.170.48

avast!
Win32:Amonetize-CI [PUP]
2014.9-141023

AVG
Generic_r
2015.0.3312

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.141023

Bitdefender
Application.Generic.679898
1.0.20.1480

Comodo Security
ApplicUnwnt
19375

Dr.Web
Adware.Downware.5717
9.0.1.0296

ESET NOD32
Win32/Amonetize.BI (variant)
8.10343

Fortinet FortiGate
Riskware/Amonetize
10/23/2014

F-Secure
Application.Generic.679898
11.2014-23-10_5

G Data
Application.Generic.679898
14.10.24

IKARUS anti.virus
PUA.Bundler.Amonetize
t3scan.1.7.5.0

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
14.0.0.3057

Malwarebytes
PUP.Optional.Amonetize
v2014.10.23.12

McAfee
RDN/Generic PUP.x!ckb
5600.6968

MicroWorld eScan
Application.Generic.679898
15.0.0.888

NANO AntiVirus
Riskware.Win32.Amonetize.dcckkw
0.28.2.61861

Panda Antivirus
Trj/Genetic.gen
14.10.23.12

Qihoo 360 Security
HEUR/Malware.QVM10.Gen
1.0.0.1015

Quick Heal
AdWare.Amonetize.r5 (Not a Virus)
10.14.14.00

Reason Heuristics
Threat.Win.Reputation.IMP
14.10.23.12

Sophos
Generic PUA AD
4.98

Trend Micro House Call
TROJ_GEN.R0CBC0EH514
7.2.296

Trend Micro
TROJ_GEN.R0CBC0EH514
10.465.23

Vba32 AntiVirus
AdWare.Amonetize
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic
32704

Zillya! Antivirus
Adware.Amonetize.Win32.79
2.0.0.1907

File size:
325.5 KB (333,312 bytes)

Product version:
1.1.6.20

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

File PE Metadata
Compilation timestamp:
7/4/2014 4:07:43 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:aHck/KG/pZywzTBQe7/2yeVGs36nyi63MBJdkk3JIOrdfLxd:aHckfhEwzT5OyekBduA0QOepLz

Entry address:
0x11277

Entry point:
E8, BA, 46, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 3C, 2D, 42, 00, 00, 75, 18, E8, B4, 3D, 00, 00, 6A, 1E, E8, FE, 3B, 00, 00, 68, FF, 00, 00, 00, E8, 97, F6, FF, FF, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40...
 
[+]

Code size:
94.5 KB (96,768 bytes)

The file flashplayer__4369_i1020197088_il26.exe has been seen being distributed by the following 5 URLs.

http://www.more-files.com/alldd.html?myref=www.newhdplugin.net&version=1.1.6.20&prefix=FlashPlayerSetup&campid=4369&instid[appname]=FlashPlayer&instid[appsetupurl]=https://launchpad.net/lightspark/trunk/lightspark-0.5.3/ download/Lightspark-0.5.3-win32.exe&instid[appimageurl]=http://www.tsxnrey.com/i/White Smoke Inc/.../150x150_v1Logo.jpg&prefix=FlashPlayer&ti1=MXw1MDg0fFRXfDN8MXx8|5a3b0157431319d258e215fae8b4e084|5ab58d00-e759-11e3-86c9-0025b320a860&capp=FlashPlayer&AMt=1404926492995&AMh=7fn2b4gxIWmb09igS84d2Ie2zMXUjQgM3KAUfCzDKPbVydo5QZMSwcespsmVBC1AtdCH3iBb48loOaw3

http://www.gofordownload.com/download.php?version=1.1.6.20&campid=4607&capp=FlashPlayer&prefix=install*flashplayer&ti1=MTI0M3wzMDQxfE1BfDN8MXx8|65b474ca1849c607456c55c89fa520c1|50783c80-ddd0-11e3-ad18-002590f00f96

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-107-20-147-93.compute-1.amazonaws.com  (107.20.147.93:80)

Remove flashplayer__4369_i1020197088_il26.exe - Powered by Reason Core Security