flashplayer__4369_i148345243_il14.exe

Installer

Amonetize ltd.

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application flashplayer__4369_i148345243_il14.exe by Amonetize ltd has been detected as adware by 27 anti-malware scanners. The program is a setup application that uses the Amonetize Downloader installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. With this installer, users are expecting to download the free Adobe Flash Player but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
Amônétízé Ltd  (signed by Amonetize ltd.)

Product:
Installer

Version:
1.1.5.55

MD5:
3914888cdb3a34cdfdd6401f8117168e

SHA-1:
9a9ee521c01d87cd5e7202ac97a95f2d8b671c1e

SHA-256:
b30e57067a8141b961537c8b551ac35fe80307fa11dfef912fa725a1cf0bef98

Scanner detections:
27 / 68

Status:
Adware

Explanation:
This setup file is a re-distribution of the original program that bundles various adware offers during installation including toolbars and browser search extensions.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/5/2024 2:48:46 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.Amonetize.14
772

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.12.14

Avira AntiVirus
Adware/Amonetize.E
7.11.195.56

avast!
Win32:Amonetize-R [PUP]
2014.9-141225

AVG
Generic
2015.0.3250

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.141225

Bitdefender
Gen:Variant.Application.Bundler.Amonetize.14
1.0.20.1795

Comodo Security
ApplicUnwnt
20362

Dr.Web
Adware.Downware.2346
9.0.1.0359

ESET NOD32
Win32/Amonetize (variant)
8.10873

Fortinet FortiGate
MSIL/Kryptik.NM!tr
12/25/2014

F-Secure
Gen:Variant.Application.Bundler
11.2014-25-12_5

G Data
Gen:Variant.Application.Bundler.Amonetize.14
14.12.24

IKARUS anti.virus
Win32.SuspectCrc
t3scan.1.8.5.0

K7 AntiVirus
Unwanted-Program
13.187.14319

Kaspersky
not-a-virus:HEUR:AdWare.Win32.Amonetize
14.0.0.2743

Malwarebytes
PUP.Optional.InstallMonetizer
v2014.12.25.09

McAfee
Adware-Amonetize
5600.6906

MicroWorld eScan
Gen:Variant.Application.Bundler.Amonetize.14
15.0.0.1077

NANO AntiVirus
Riskware.Win32.Amonetize.dcnqqx
0.28.6.63850

Qihoo 360 Security
Win32/Virus.Adware.932
1.0.0.1015

Reason Heuristics
PUP.Installer.Amonetizeltd.b
14.12.25.9

Sophos
Amonetize
4.98

Trend Micro House Call
TROJ_SPNR.3AGS14
7.2.359

Trend Micro
TROJ_SPNR.3AGS14
10.465.25

VIPRE Antivirus
Amonetize
35710

Zillya! Antivirus
Backdoor.PePatch.Win32.41919
2.0.0.2005

File size:
330.5 KB (338,472 bytes)

Product version:
2.1.12

Copyright:
(c) Amônétízé Ltd, 2012,2013. All rights reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Amonetize Downloader

Language:
English (United States)

Common path:
C:\users\{user}\downloads\flashplayer__4369_i148345243_il14.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
3/19/2013 1:00:00 AM

Valid to:
6/19/2015 1:59:59 AM

Subject:
CN=Amonetize ltd., O=Amonetize ltd., L=Raanana, S=Alberta, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
235E7B2F1D4E0152189F6381E2BA8C97

File PE Metadata
Compilation timestamp:
11/24/2013 1:16:15 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:mXHGu21wSfAuUz5ExyvLUAhJ9oBis3XeDi+P4MnIs3rf3UnwkxXwnpBE:GHG5eSIuoEqUAh7wisn4A9mrf3Jpe

Entry address:
0x27053

Entry point:
E8, 74, 96, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF...
 
[+]

Code size:
230 KB (235,520 bytes)

The file flashplayer__4369_i148345243_il14.exe has been seen being distributed by the following 4 URLs.

http://ad.propellerads.com/ck.php?oaparams=2__bannerid=65588__zoneid=10250__OXLCA=1__cb=ff91f40e21__oadest=http://.../download.php?version=1.1.5.55&campid=2570&capp=FlashPlayer&prefix=FlashPlayer&ti1=${SUBID}

http://ad.propellerads.com/ck.php?oaparams=2__bannerid=65156__zoneid=10769__OXLCA=1__cb=e5ce0def79__oadest=http://.../download.php?version=1.1.5.55&campid=2570&capp=FlashPlayer&prefix=FlashPlayer&ti1=${SUBID}

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.soledownload.com  (54.225.181.84:80)

TCP (HTTP):
Connects to www.activemonetizer.com  (23.23.96.46:80)

 
http://www.activemonetizer.com/index.php?Net2=v2.0.50727&Net4=&OSversion=NT5.1SP3&Slv=&Sysid=B215676583&Sysid1=B215676583&X64=N&admin=Y&browser=IEXPLORE.EXE&chver=&exe=ikjut__15460472&offver=&lang_DfltUser=04

Remove flashplayer__4369_i148345243_il14.exe - Powered by Reason Core Security