installer_adobe_flash_player_english.exe

Click To Start

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application installer_adobe_flash_player_english.exe by Click To Start has been detected as adware by 23 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from domsem.com.edgesuite.net and multiple other hosts.
Publisher:
Click To Start  (signed and verified)

MD5:
2d2a3f78d6e9a290e2ec69693ce95ef9

SHA-1:
64862ec5fd1c77370d4ea473967521b51db0a073

SHA-256:
cf2a86313088da4a9dfb8f7c61dc6224db5984fcd7c90fdb64200e06c6d8ffa3

Scanner detections:
23 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/25/2024 5:48:35 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Dropped:Application.Bundler.Outbrowse.AA
6356136

Agnitum Outpost
PUA.OutBrowse
7.1.1

Avira AntiVirus
APPL/Downloader.Gen
7.11.202.26

AVG
Potentially harmful program Downloader.CVE
2014.0.4253

Bitdefender
Dropped:Application.Bundler.Outbrowse.AA
1.0.20.80

Dr.Web
Trojan.OutBrowse.51
9.0.1.05190

Emsisoft Anti-Malware
Dropped:Application.Bundler.Outbrowse.AA
9.0.0.4799

ESET NOD32
Win32/OutBrowse.BM potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/OutBrowse
1/16/2015

F-Secure
Riskware.Dropped:Application.Bundler.Outbrowse
5.13.68

G Data
Dropped:Application.Bundler.Outbrowse.AA
15.1.24

IKARUS anti.virus
PUA.OutBrowse
t3scan.1.8.6.0

K7 AntiVirus
Unwanted-Program
13.191.14667

Malwarebytes
PUP.Optional.OutBrowse
v2015.01.16.08

McAfee
Program.Adware-OutBrowse.d
16.8.708.2

MicroWorld eScan
Dropped:Application.Bundler.Outbrowse.AA
16.0.0.48

NANO AntiVirus
Trojan.Win32.OutBrowse.dluceg
0.30.0.64448

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.ClickToStart
15.1.16.20

Rising Antivirus
PE:Trojan.Win32.Generic.17E3BF84!400801668
23.00.65.15114

Sophos
Generic PUA NO
4.98

Trend Micro House Call
Suspici.6BC7E129
7.2.16

VIPRE Antivirus
Threat.4150696
36694

File size:
573.8 KB (587,536 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\installer_adobe_flash_player_english.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
12/5/2014 3:30:02 AM

Valid to:
12/6/2015 3:30:02 AM

Subject:
CN=Click To Start, O=Click To Start, L=Dublin, C=IE

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121A4ADB181C788DD5B27571502842584B8

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:T8aUJh819WiV08s4AkRd5zrfzb19aZRD34f9R:T31s2s4AkRdtrfPLaZRsfT

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9741

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file installer_adobe_flash_player_english.exe has been seen being distributed by the following 2 URLs.

Remove installer_adobe_flash_player_english.exe - Powered by Reason Core Security