WebPlayer.exe

WebPlayer

The application WebPlayer.exe has been detected as a potentially unwanted program by 2 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘AppsHat’. This file is typically installed with the program FLV Player by PROXUS Media Group. The file has been seen being downloaded from zalacznik.wp.pl. While running, it connects to the Internet address 31.24.228.244.static.midphase.com on port 80 using the HTTP protocol.
Product:
WebPlayer

Version:
1.1.0.0

MD5:
4f9236be13917b89f7a03dea85f220fa

SHA-1:
4c1a2beaca0702a3ea3ef5005cd064605850813e

SHA-256:
4909b892f70dbbb487e470b00dd92d48d602527c775dc34a14ea8cf6d3c7c3fd

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 3:04:42 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Somoto.I potentially unwanted application
6.3.12010.0

Reason Heuristics
Adware.AppsHat (M)
17.3.9.1

File size:
198 KB (202,752 bytes)

Product version:
1.1.0.0

Copyright:
Copyright 2012

Original file name:
WebPlayer.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\test\local settings\application data\webplayer\appshat\webplayer.exe

File PE Metadata
Compilation timestamp:
10/25/2012 11:49:05 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:hL+/Sw5On/yPEqE0im6mbsuN18slzvPiTQ:Y/SuQ/SEqE0im6mbDSslzvP

Entry address:
0x150D2

Entry point:
E8, D3, 5C, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A0, 01, 00, 00, 81, F9, 80, 00, 00, 00, 72, 1C, 83, 3D, A4, EB, 42, 00, 00, 74, 13, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 05, E9, 21, 5D, 00, 00, F7, C7, 03, 00, 00, 00, 75, 14, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 29, F3, A5, FF, 24, 95, 50, 52, 41, 00, 8B, C7, BA, 03, 00, 00, 00, 83, E9, 04, 72, 0C, 83, E0, 03, 03, C8, FF...
 
[+]

Entropy:
6.3366

Code size:
132 KB (135,168 bytes)

3 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
AppsHat

Command:
C:\users\{user}\appdata\local\webplayer\appshat\webplayer.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
FLV Player

Command:
C:\users\{user}\appdata\local\webplayer\flv player\webplayer.exe

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Apps Hat

Command:
C:\users\{user}\appdata\local\webplayer\appshat\webplayer.exe


The file WebPlayer.exe has been discovered within the following programs.

FLV Player  by PROXUS Media Group
Publisher's description - “If you ever wanted to add video to your projects or websites, there is no easier way than using pre-built Flash video components. Our player is one of the most feature loaded components on the market and it was specifically designed to suit developer and designers needs.”
www.proxynetworks.com
About 1% of users remove it
Online Weather  by Somoto Ltd.
Online Weather (Somoto Ltd. Powered by YoWindow) uses the Web Player app with Kango browser extensions. It is a bundled installation using a download monetization platform. Installing the co-bundled software through the modified installer may not be optional.
online-weather.org/lp/onlineweather
68% remove it
Video Converter  by Somoto Ltd.
Video Converter is an adware web browser extension that will display various popup and banner ads as well as modify the user's web browser search and home page settings.
78% remove it
 
Powered by Should I Remove It?

The file WebPlayer.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 131.subnet180-250-66.speedy.telkom.net.id  (180.250.66.131:80)

TCP (HTTP):
Connects to c4.3e.559e.ip4.static.sl-reverse.com  (158.85.62.196:80)

TCP (HTTP):
Connects to 31.24.228.244.static.midphase.com  (31.24.228.244:80)

TCP (HTTP):
Connects to squid.spd.co.il  (212.199.163.170:80)

TCP (HTTP):
Connects to ec2-50-112-125-77.us-west-2.compute.amazonaws.com  (50.112.125.77:80)

TCP (HTTP):
Connects to squid.mirrors.pair.com  (216.92.2.155:80)

TCP (HTTP):
Connects to server-54-230-0-207.lhr5.r.cloudfront.net  (54.230.0.207:80)

TCP (HTTP SSL):
Connects to server-54-192-159-150.sin3.r.cloudfront.net  (54.192.159.150:443)

TCP (HTTP):
Connects to server-54-182-192-54.iad16.r.cloudfront.net  (54.182.192.54:80)

TCP (HTTP):
Connects to server-52-85-83-236.lax1.r.cloudfront.net  (52.85.83.236:80)

TCP (HTTP):
Connects to s3.coolzero.info  (149.210.233.62:80)

TCP (HTTP):
Connects to ocsp.comodoca.com  (178.255.83.1:80)

TCP (HTTP):
Connects to ip-172-30-0-10.ec2.internal  (172.30.0.10:8080)

TCP (HTTP):
Connects to ip-172-16-16-3.ec2.internal  (172.16.16.3:8080)

TCP (HTTP):
Connects to hit-malware.opendns.com  (146.112.61.107:80)

TCP (HTTP):
Connects to ec2-54-214-5-98.us-west-2.compute.amazonaws.com  (54.214.5.98:80)

TCP (HTTP SSL):
Connects to ec2-52-1-139-99.compute-1.amazonaws.com  (52.1.139.99:443)

TCP (HTTP SSL):
Connects to ec2-34-196-191-121.compute-1.amazonaws.com  (34.196.191.121:443)

TCP (HTTP):
Connects to 91.220.197.104.bc.googleusercontent.com  (104.197.220.91:80)

TCP (HTTP):
Connects to 178.155.155.104.bc.googleusercontent.com  (104.155.155.178:80)

Remove WebPlayer.exe - Powered by Reason Core Security