home

flash - guncelle.exe

Project1

The executable flash - guncelle.exe has been detected as malware by 26 anti-virus scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Project1’. The file has been seen being downloaded from docs.google.com and multiple other hosts.
Product:
Project1

Version:
1.00

MD5:
fbf92ea1aa2424befb7b19bba8e4ee92

SHA-1:
a35037633336fb206f1a9af88a7b12e56cf3cf01

SHA-256:
e0622960ff4362c244b910a15406f56863feceba5052e01cf4cf134ab30afc24

Scanner detections:
26 / 68

Status:
Malware

Analysis date:
4/26/2024 8:58:21 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1478294
1126

Avira AntiVirus
TR/Rogue.1478294
7.11.123.168

AVG
Win32/DH
2015.0.3604

Baidu Antivirus
Trojan.Win32.Scar
4.0.3.1414

Bitdefender
Trojan.GenericKD.1478294
1.0.20.20

Bkav FE
W32.Cloda7a.Trojan
1.3.0.4613

Comodo Security
UnclassifiedMalware
17558

Dr.Web
Trojan.MulDrop5.6461
9.0.1.04

Emsisoft Anti-Malware
Trojan.GenericKD.1478294
8.14.01.04.06

ESET NOD32
JS/ExtenBro.FBook (variant)
8.9255

Fortinet FortiGate
W32/Scar.HUCK!tr
1/4/2014

F-Secure
Trojan.GenericKD.1478294
11.2014-19-01_1

G Data
Trojan.GenericKD.1478294
14.1.22

IKARUS anti.virus
Trojan.Win32.Scar
t3scan.2.2.29

Kaspersky
Trojan.Win32.Scar
14.0.0.4516

Malwarebytes
Trojan.FakeFlash
v2014.01.04.06

McAfee
RDN/Generic.dx!cvn
5600.7260

MicroWorld eScan
Trojan.GenericKD.1478294
15.0.0.12

Norman
Suspicious_Gen4.FONJV
11.20140104

nProtect
Trojan.GenericKD.1478294
14.01.05.01

Panda Antivirus
Trj/Genetic.gen
14.01.04.06

Sophos
Mal/Generic-S
4.96

Trend Micro House Call
TROJ_FEBUSER.UJ
7.2.4

Trend Micro
TROJ_FEBUSER.UJ
10.465.04

Vba32 AntiVirus
Trojan.Scar
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
25130

File size:
180 KB (184,320 bytes)

Product version:
1.00

Original file name:
FlashGuncelle.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\jeapaeedfpfcnbnegopffbpcmenipgoi\flash - guncelle.exe

File PE Metadata
Compilation timestamp:
12/28/2013 9:19:38 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:z24/WHZ6Olwr4JKuteJ6uyUytien4rzfrfFuTJ/utQ4JcwUHZ6OT/r:zvEAOYzDfaBb

Entry address:
0x184C

Entry point:
68, 10, 49, 41, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 24, 69, 3C, 44, 25, FE, 28, 4D, A8, C9, 5A, 25, 97, 56, B3, 5E, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 50, 72, 6F, 6A, 65, 63, 74, 31, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, FF, CC, 31, 00, 08, 51, D0, 39, 53, 87, 14, 89, 47, A3, A9, 60, AA, C1, 07, 3A, 95, DC, 40, 83, 49, B3, 09, 36, 43, 8B, 36, 24, 1B, 65, D9, 4A, B0, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00...
 
[+]

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
108 KB (110,592 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Project1

Command:
C:\users\{user}\appdata\local\jeapaeedfpfcnbnegopffbpcmenipgoi\flash - guncelle.exe


The file flash - guncelle.exe has been seen being distributed by the following 7 URLs.

https://docs.google.com//uc?authuser=0&id=0B_tPP2AY1siPOEhwbnFCNi1BVlk

https://docs.google.com//uc?authuser=0&id=0B_tPP2AY1siPNHZyUTBhcThKVW8

https://docs.google.com//uc?authuser=0&id=0B_tPP2AY1siPdkVadGNHYkc4LVU

https://docs.google.com//uc?authuser=0&id=0B_tPP2AY1siPTVZLdHJRb2pSUVU

https://doc-0k-3k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4jqd5vqi1pit962nva13k0bh7jsv8mo1/1388289600000/07443868469223897107/.../0B_tPP2AY1siPaU5TTWI2eWFxQzQ?h=16653014193614665626

https://docs.google.com/uc?id=0B_tPP2AY1siPaU5TTWI2eWFxQzQ

https://docs.google.com//uc?authuser=0&id=0B_tPP2AY1siPaU5TTWI2eWFxQzQ

Remove flash - guncelle.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.