freeflvconvertersetup-r20-n-bc.exe

Free FLV Converter

Koyote-Lab Inc.

The application freeflvconvertersetup-r20-n-bc.exe, “Free FLV Converter Install” by Koyote-Lab has been detected as a potentially unwanted program by 14 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from r2.computerbild.de and multiple other hosts. While running, it connects to the Internet address 94.31.0.160.IPYX-076665-ZYO.above.net on port 80 using the HTTP protocol.
Publisher:
Koyote-Lab Inc  (signed by Koyote-Lab Inc.)

Product:
Free FLV Converter

Description:
Free FLV Converter Install

Version:
1.0.0.134486

MD5:
60b912f33e83877f8ad3db3bf49697b1

SHA-1:
115217b4c660b6df865746616b4d9f98604f826f

SHA-256:
b34b25972f305fcb4b6fc4c62d8d9e3f0c75bd93cf413150efca6008ffd7ba36

Scanner detections:
14 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 3:19:02 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
Adware/SeaSuite.ona
7.11.198.40

AVG
SearchSuite
2015.0.3248

Clam AntiVirus
Win.Adware.Searchsuite-3
0.98/21511

Dr.Web
Adware.Downware.964
9.0.1.0361

ESET NOD32
Win32/KoyoteLab (variant)
8.10931

Fortinet FortiGate
Riskware/KoyoteLab
12/27/2014

G Data
Win32.Application.KoyoteLab
14.12.24

K7 AntiVirus
Unwanted-Program
13.188.14468

Malwarebytes
PUP.Optional.Koyote.A
v2014.12.27.05

McAfee
Artemis!60B912F33E83
5600.6904

Reason Heuristics
PUP.Installer.KoyoteLab.EE
14.12.27.5

Sophos
Generic PUA BB
4.98

Trend Micro House Call
Suspicious_GEN.F47V1126
7.2.361

File size:
1.5 MB (1,533,288 bytes)

Product version:
1.0.0.134486

Copyright:
Copyright (c) 2014

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\freeflvconvertersetup-r20-n-bc.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
2/12/2014 2:00:00 AM

Valid to:
2/22/2016 1:59:59 AM

Subject:
CN=Koyote-Lab Inc., OU=DEV, O=Koyote-Lab Inc., L=Panama City, S=Panama, C=PA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
05787E08EB7454E434F666A81F251A2D

File PE Metadata
Compilation timestamp:
5/30/2013 11:09:15 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:1RZpYmjsWQ06EeRliQqLxZrV7IDBxjEWxk/Ev2lV5FxM89k7VMJwYVZyFnj:bRjbQ06EebyLx/8wWy/lV5Fxd9CMJstj

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, BC, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 25, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 80, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 8F, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 7D, 27, 00, 00...
 
[+]

Entropy:
7.9894

Packer / compiler:
Nullsoft install system v2.x

Code size:
29.5 KB (30,208 bytes)

The file freeflvconvertersetup-r20-n-bc.exe has been seen being distributed by the following 5 URLs.

http://r2.computerbild.de/exec/r2r.pl?m=w-cobi;u=http://d.computerbild.de/downloads/.../FreeFLVConverterSetup-r0-n-bc.exe

http://download4.freefiles-18.de/software/s33224/d21000/33224/.../FreeFLVConverterSetup-r0-n-bf.exe

http://filepony.de/.../FreeFLVConverterSetup-r0-n-bc762.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-235-137-222.compute-1.amazonaws.com  (54.235.137.222:80)

TCP (HTTP):
Connects to 94.31.0.25.IPYX-076665-ZYO.above.net  (94.31.0.25:80)

TCP (HTTP):
Connects to 94.31.0.160.IPYX-076665-ZYO.above.net  (94.31.0.160:80)

Remove freeflvconvertersetup-r20-n-bc.exe - Powered by Reason Core Security