webplayer.exe

Kreapixel

The application webplayer.exe by Kreapixel has been detected as a potentially unwanted program by 7 anti-malware scanners. This is a setup program which is used to install the application. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from clic.illyx.com and multiple other hosts.
Publisher:
Kreapixel  (signed and verified)

Version:
3.3.8.1

MD5:
f63894ceffe465fcaff89b45fa511037

SHA-1:
6bdfe402a1614b43ba4e6204f3f448e22563c192

SHA-256:
0204ce2d7c801406d02a80ef544ed2ec50cf78e0c207e87985832542ec09a788

Scanner detections:
7 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
12/25/2024 4:43:12 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.Crossrider.9
9.0.1.0266

F-Prot
W32/Undefined.Threat
v6.4.7.1.166

IKARUS anti.virus
not-a-virus:WebToolbar.Win32.Toolbar
t3scan.2.2.29

Reason Heuristics
PUP.Kreapixel.J
14.9.23.17

Rising Antivirus
AU3SCRIPT:Malware.Banker!1.9DF6
23.00.65.14921

Sophos
Kreapixel
4.96

Trend Micro House Call
TROJ_GEN.F47V0604
7.2.266

File size:
711.7 KB (728,752 bytes)

File type:
Executable application (Win32 EXE)

Language:
French (France)

Common path:
C:\users\{user}\downloads\webplayer.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
4/27/2013 8:00:00 PM

Valid to:
4/28/2014 7:59:59 PM

Subject:
CN=Kreapixel, OU=24, O=Kreapixel, L=Bergerac, S=Dordogne, C=FR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
73E829C616F33571512B97CC95565619

File PE Metadata
Compilation timestamp:
1/29/2012 4:32:28 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:m6Wq4aaE6KwyF5L0Y2D1PqLU+LxbBZsVj9noChxMPDs:sthEVaPqLU+LLZ09vx

Entry address:
0xDBEB0

Entry point:
60, BE, 00, A0, 49, 00, 8D, BE, 00, 70, F6, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
268 KB (274,432 bytes)

The file webplayer.exe has been seen being distributed by the following 5 URLs.

http://.../aff_c?offer_id=25&aff_id=1005&source=server1.affiz.net tvdirectplayerb&clickTAG=http://.../aff_c?offer_id=25&aff_id=1005&source=server1.affiz.net tvdirectplayerb

Remove webplayer.exe - Powered by Reason Core Security