flvplayer-chrome.exe

VASSANA KONGSOONGNERN

This is the setup program for CoolMirage, a potentially unwanted program (PUP) that display ads on the computer. The application flvplayer-chrome.exe by VASSANA KONGSOONGNERN has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup installer will bundle multiple adware offers during download and setup (based on the user's geographical location) including toolbars, extensions and coupon utilities. The file has been seen being downloaded from www.getmydownloadsnow.com and multiple other hosts.
Publisher:
VASSANA KONGSOONGNERN  (signed and verified)

MD5:
ea8105b9fe9183b7d47764cd0b068a45

SHA-1:
57cafe6d084bd966069fa4af3be4e4af23fe6218

SHA-256:
ffbcf6380f3bf065d82e59b9eae38b962db4e219aa460e9b1c349108e03421f0

Scanner detections:
7 / 68

Status:
Adware

Explanation:
Bundles a number of adware programs in the installer.

Analysis date:
11/24/2024 9:32:32 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2015.0.3279

Dr.Web
Adware.Downware.8319
9.0.1.0330

ESET NOD32
NSIS/TrojanDownloader.Adload.AA
8.10779

K7 AntiVirus
Adware
13.185.14134

Kaspersky
not-a-virus:AdWare.NSIS.Yontoo
14.0.0.2888

Reason Heuristics
PUP.VASSANAKONGSOONGNERN.Q
14.12.16.10

Sophos
CoolMirage
4.98

File size:
74.5 KB (76,240 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\flvplayer-chrome.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
10/5/2014 8:00:00 PM

Valid to:
10/6/2015 7:59:59 PM

Subject:
CN=VASSANA KONGSOONGNERN, OU=Individual Developer, O=No Organization Affiliation, L=Phuket, S=Phuket, C=TH

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
7E630B1125BFC2AAB3F8750B7348F18B

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:ZQpQ5EP0ijnRTXJXEElr4vxU9jMuMMMMMMMMMMMMMMMMMMMMMMMMMMMXMMMs/ubU:ZQIURTXJ14vxU9jMuMMMMMMMMMMMMMMI

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.2339

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file flvplayer-chrome.exe has been seen being distributed by the following 50 URLs.

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wRVUN1NAL6EJ2A9GG3D54LDU

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wCCO9MVNH3B4LJAG0T1L299C

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wVN1U81QB3TEK59GGDTKFBFA

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=w1QT4D9E4K0KMMDG045SRBEO

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wS3ECNGRHAD1HABG0P6D1GDO

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wTG2RV2E8PG1R1AG05V9MOAO

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wTGS69J8BI00N1CG0835RLDE

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wBHFTLM8073OLS9G0J1Q2QAU

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wAP0GOIN7UOB0JBG0SMPP66C

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wO3SF8JNPVL8A0DGGT7GU6A4

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=w808E2TKHQ1BIU9G049UC58M

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=w52BB88CJBL0J8CGGQEGFVDM

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wBFED2U3IBQ2SRBG0NKJLLA8

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wI7GDPQGKNJ5BCCG0P1NUDD4

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wVQQC54MP2147VBGGKGDQGEC

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wKQ3ELCJITQDCLEG00BBNAB0

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wONR6TUCQVO6MJDGGFG6AP4M

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=w6HPL3U57DNGRIBGGLNECL4C

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=w6RLKG1RT625VJAGGCE125AU

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wMOESMFCPQ1J9BBG0VFURNJK

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=w0VHMJ8MNCH9BN8G0VBKJK8A

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wDJ7MMIHBGRFHFAGG403G28Q

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=w13S876NUFVSMC8G0HOCAHDA

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=w0HRB76BGK9EB5CG0TP1741E

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wJADDN5KD7USO1DG0FNPAU7G

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=w4BVEHV72PKA7PAGGC6EDUBG

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=w7V0BP9LDEVT95CG0ABJ036G

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=w437F1EOGROSCNAG0BFIQC3G

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wVERG26BLACN51CGGGA9D5FO

http://www.getmydownloadsnow.com/.../mar16.php?subid=marmarlk&sid=wIE5D2R2TK0PFD8GG21SQCHU

Latest 30 of 231 download URLs

Remove flvplayer-chrome.exe - Powered by Reason Core Security