flashplayer__4369_i1095561690_il7.exe

The application flashplayer__4369_i1095561690_il7.exe has been detected as a potentially unwanted program by 21 anti-malware scanners. The program is a setup application that uses the Amonetize Downloader installer, however the file is not signed with an authenticode signature from a trusted source. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The installer is marketed through download protals and search ads as the free Adobe Flash Player but will also install additional software offers which include adware, PUPs and browser toolbars.
Version:
1.1.6.20

MD5:
f213778d7c6dd0faaf4244be023cb3e2

SHA-1:
0ce7bfb8f638f37f3b2520a90be46be7f073eab1

SHA-256:
aa52a0bec2b8bbba04b2c66708f5aefa21681c68264cd7c6a6b33b51ab06f87b

Scanner detections:
21 / 68

Status:
Potentially unwanted

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
12/25/2024 4:35:29 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.Amonetize.N
921

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.07.28

Avira AntiVirus
APPL/Amonetize.Z
7.11.164.60

avast!
Win32:Amonetize-CL [PUP]
2014.9-140728

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.14728

Bitdefender
Application.Bundler.Amonetize.N
1.0.20.1045

Dr.Web
Adware.Downware.5913
9.0.1.0209

ESET NOD32
Win32/Amonetize.BI (variant)
8.10163

F-Secure
Application.Bundler.Amonetize
11.2014-28-07_2

G Data
Application.Bundler.Amonetize
14.7.24

IKARUS anti.virus
not-a-virus:AdWare.Amonetize
t3scan.1.6.1.0

Kaspersky
not-a-virus:AdWare.Win32.Amonetize
14.0.0.3491

Malwarebytes
PUP.Optional.Downloader
v2014.07.28.07

McAfee
Artemis!F213778D7C6D
5600.7055

MicroWorld eScan
Application.Bundler.Amonetize.N
15.0.0.627

NANO AntiVirus
Riskware.Win32.Amonetize.dchxoa
0.28.2.60990

Panda Antivirus
Trj/Genetic.gen
14.07.28.07

Reason Heuristics
Threat.Win.Reputation.IMP
14.7.28.19

Sophos
Generic PUA AM
4.98

Vba32 AntiVirus
AdWare.Amonetize
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic
31680

File size:
343 KB (351,232 bytes)

Product version:
1.1.6.20

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Amonetize Downloader

Language:
English (United States)

Common path:
C:\users\{user}\downloads\flashplayer__4369_i1095561690_il7.exe

File PE Metadata
Compilation timestamp:
7/27/2014 8:04:26 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:xBieRGukt2xUBTBIq6vSKiULM5JFdTDCgEzTdsvDwp4FzL:zvsN2xUBTJoSKpLM7TDC/zTd2DwpWL

Entry address:
0x14C32

Entry point:
E8, E8, 5F, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 3C, 8E, 3F, 00, 00, 75, 18, E8, C8, 59, 00, 00, 6A, 1E, E8, 12, 58, 00, 00, 68, FF, 00, 00, 00, E8, 10, F6, FF, FF, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 3C, 8E, 3F, 00, FF, 15...
 
[+]

Entropy:
7.4403

Code size:
116.5 KB (119,296 bytes)

The file flashplayer__4369_i1095561690_il7.exe has been seen being distributed by the following 6 URLs.

http://www.validdownload.com/download.php?version=1.1.6.20&campid=4607&capp=FlashPlayer&prefix=install*flashplayer&ti1=MzEyNHwzMDQ0fE1YfDN8MXx8|65b474ca1849c607456c55c89fa520c1|1f92e0e0-86bc-11e3-8eaf-0025b320a860

http://www.more-files.com/alldd.html?myref=www.newhdplugin.org&version=1.1.6.20&prefix=FlashPlayerSetup&campid=4369&instid[appname]=FlashPlayer&instid[appsetupurl]=https://launchpad.net/lightspark/trunk/lightspark-0.5.3/ download/Lightspark-0.5.3-win32.exe&instid[appimageurl]=http://www.tsxnrey.com/i/White Smoke Inc/.../150x150_v1Logo.jpg&prefix=FlashPlayer&ti1=MTgzN3w1MDY1fE1YfDN8MXx8|0508bd5422e63360d703a307569c5540|0ae412f0-11cb-11e4-ac40-002590f00f96&capp=FlashPlayer&AMt=1406491511616&AMh=7fn2b4gxIWmb09igS84d2Ie2zMXUjQgM3KAUfCzDKPbVydo5QZMSwcespsmVBC1AtdCH3iBb48loOaw3

http://www.more-files.com/alldd.html?myref=www.newhdplugin.org&version=1.1.6.20&prefix=FlashPlayerSetup&campid=4369&instid[appname]=FlashPlayer&instid[appsetupurl]=https://launchpad.net/lightspark/trunk/lightspark-0.5.3/ download/Lightspark-0.5.3-win32.exe&instid[appimageurl]=http://www.tsxnrey.com/i/White Smoke Inc/.../150x150_v1Logo.jpg&prefix=FlashPlayer&ti1=MTF8NDYxNnxVU3wzfDF8fA|167163e4178bb3acaf3040a7421daaab|fbefd950-15a3-11e4-a274-0025b320a860&capp=FlashPlayer&AMt=1406483611974&AMh=7fn2b4gxIWmb09igS84d2Ie2zMXUjQgM3KAUfCzDKPbVydo5QZMSwcespsmVBC1AtdCH3iBb48loOaw3

Remove flashplayer__4369_i1095561690_il7.exe - Powered by Reason Core Security