» flash.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)

flash.exe

module2

The executable flash.exe has been detected as malware by 24 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘mucrosaft’. The file has been seen being downloaded from dropcanvas.com.

File name:

flash.exe

Product:

module2

Version:

1.0.0.0

MD5:

0978e2f51f3b224beafb70f2e02c23d6

SHA-1:

7f69a855cf4dba6b86830e2b494182beddd1bb86

SHA-256:

92e27a6b1c23f08fa680fa8303e7b54dae65d628f92194df37e89c9564876c7d

Scanner detections:

24 / 68

Status:

Malware

Analysis date:

4/19/2024 3:30:23 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.2736134

447

AhnLab V3 Security

Malware/Win32.Generic

2015.10.02

Avira AntiVirus

TR/Ransom.24576.2

8.3.2.2

Arcabit

Trojan.Generic.D29C006

1.0.0.568

avast!

Win32:Malware-gen

2014.9-151115

Baidu Antivirus

Trojan.Win32.Ransomlock

4.0.3.151115

Bitdefender

Trojan.GenericKD.2736134

1.0.20.1595

Emsisoft Anti-Malware

Trojan.GenericKD.2736134

8.15.11.15.11

Fortinet FortiGate

W32/Blocker.HQKE!tr

11/15/2015

F-Secure

Trojan.GenericKD.2736134

11.2015-15-11_1

G Data

Trojan.GenericKD.2736134

15.11.25

IKARUS anti.virus

Trojan-Ransom.Win32.Blocker

t3scan.1.9.5.0

K7 AntiVirus

Riskware

13.210.17394

Kaspersky

Trojan-Ransom.Win32.Blocker

14.0.0.1118

Malwarebytes

Trojan.MSIL.Dropper

v2015.11.15.11

McAfee

RDN/Ransom

5600.6581

MicroWorld eScan

Trojan.GenericKD.2736134

16.0.0.957

NANO AntiVirus

Trojan.Win32.Blocker.dxjqme

0.30.26.3725

nProtect

Trojan.GenericKD.2736134

15.10.01.01

Panda Antivirus

Trj/CI.A

15.11.15.11

Sophos

Mal/Generic-S

4.98

Trend Micro

TROJ_GEN.R00XC0EIQ15

10.465.15

VIPRE Antivirus

Trojan.Win32.Generic.pak!cobra

44202

Zillya! Antivirus

Trojan.Blocker.Win32.31519

2.0.0.2424

File size:

24 KB (24,576 bytes)

Product version:

1.0.0.0

Original file name:

module2.exe

File type:

Executable application (Win64 EXE)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\roaming\flash.exe

File PE Metadata

Compilation timestamp:

9/5/2015 10:11:39 PM

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows GUI

Linker version:

48.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

384:zBee9GM8mwwjOaewlWwzQQIqybVcRPLMd:zv9GM8y6PwPV6c5Qd

Entry address:

0x4B8E

Entry point:

4D, 5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 80, 00, 00, 00, 0E, 1F, BA, 0E, 00, B4, 09, CD, 21, B8, 01, 4C, CD, 21, 54, 68, 69, 73, 20, 70, 72, 6F, 67, 72, 61, 6D, 20, 63, 61, 6E, 6E, 6F, 74, 20, 62, 65, 20, 72, 75, 6E, 20, 69, 6E, 20, 44, 4F, 53, 20, 6D, 6F, 64, 65, 2E, 0D, 0D, 0A, 24, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

5.1172

Code size:

11 KB (11,264 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

mucrosaft

Command:

C:\users\{user}\appdata\roaming\flash.exe

The file flash.exe has been seen being distributed by the following URL.

http://dropcanvas.com/.../3

Remove flash.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.