installer_adobe_flash_player_english.exe

The application installer_adobe_flash_player_english.exe has been detected as a potentially unwanted program by 15 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from dv.a-chn4.com and multiple other hosts.
MD5:
735260ee6ece95ba141f85dfd28aea27

SHA-1:
47e7822bf46a34453b28720aba9801a5f8aeec4c

SHA-256:
766eb2118539a8050b20aad4cc6b621e10217d9fb09b93fc5cb98b908c828361

Scanner detections:
15 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
12/27/2024 12:47:49 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.04.14

avast!
Win32:Dropper-gen [Drp]
2014.9-150821

Baidu Antivirus
Trojan.Win32.Addrop
4.0.3.15821

ESET NOD32
Win32/TrojanDropper.Addrop
9.11468

G Data
Win32.Trojan.Agent.2X93XI
15.8.25

K7 AntiVirus
Trojan
13.202.15582

Kaspersky
not-a-virus:Downloader.NSIS.Agent
14.0.0.1550

McAfee
RDN/Generic Dropper!wc
5600.6667

Panda Antivirus
Generic Suspicious
15.08.21.12

Sophos
Generic PUA EH
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Downloader
9679

Trend Micro House Call
TROJ_GEN.R02SC0OBP15
7.2.233

Trend Micro
TROJ_GEN.R02SC0OBP15
10.465.21

VIPRE Antivirus
Trojan.Win32.Generic
39328

ViRobot
Adware.Agent.692674[h]
2014.3.20.0

File size:
676.4 KB (692,674 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\installer_adobe_flash_player_english.exe

File PE Metadata
Compilation timestamp:
12/5/2009 11:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:MpqEqH5WS/exwMlIknNkDNTg8rKc6ZhBYJYLNxw+OFSY4NoHIoGl5:Mpsd/fMlIknNkVgSKHB2YRIFSdGrQ

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installer_adobe_flash_player_english.exe has been seen being distributed by the following 3 URLs.

http://dv.a-chn4.com/installers/axtan_installers/get.php?ua=chrome&ut=d7ef0a6d23bbe317ec7b98e8005a0825&loop=1&r=2890081&x=L2hvbWUvZG93bl9jcm9ucy9wdWJsaWNfaHRtbC9pbnN0YWxsZXJzL291dC9vbi8yL2ZyZWVzb2Z0c3RvcmVjb20vZW5nbGlzaC9yZXZlbnVlL2Nocm9tZS9hZG9iZV9mbGFzaF9wbGF5ZXIvZC8yNzU4NzZlMzRjZjYwOWRiMTE4ZjNkODRiNzk5YTc5MC9vdXQvbmEvbmEvaW5zdGFsbGVyX2Fkb2JlX2ZsYXNoX3BsYXllcl9FbmdsaXNoLmV4ZQ==&p=RlJFRVNPRlRTVE9SRUNPTQ==&u=L2Rvd25sb2FkMi5mcmVlc29mdHN0b3JlMi5jb20vaW5zdGFsbGVycy9vdXQvMDAyMDQwMDIwNTAwMjA2L3BpaWQtNTRkMzU1ZTI4YmUyMTguMjA0OTAzNjEvb24vMi9mcmVlc29mdHN0b3JlY29tL2VuZ2xpc2gvcmV2ZW51ZS9jaHJvbWUvYWRvYmVfZmxhc2hfcGxheWVyL2QvMjc1ODc2ZTM0Y2Y2MDlkYjExOGYzZDg0Yjc5OWE3OTAvb3V0L25hL25hL2luc3RhbGxlcl9hZG9iZV9mbGFzaF9wbGF5ZXJfRW5nbGlzaC5leGU=&aa=on/2/freesoftstorecom//&LD=92&HJ=89&JC=1&GE=73&NJ=78&AB=47&IA=24&LG=62&DC=28&s=84109871201912510942651558301939340328559640891995161317247340385417273137127326943174809544672114941255978710414722202166634846340566064835987359570896459934578625331715303049906985631

Remove installer_adobe_flash_player_english.exe - Powered by Reason Core Security