» flashplayer__4120_i1209003258_il28.exe
Overview
Analysis
File Details
Downloads (5)

flashplayer__4120_i1209003258_il28.exe

Wilmaonline LTD.

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application flashplayer__4120_i1209003258_il28.exe by Wilmaonline has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. The setup program bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. With this installer, users are expecting to download the free Adobe Flash Player but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware. It is distributed as part of the Brightcircle group of browser-extensions.

File name:

Publisher:

Wilmaonline LTD. (signed and verified)

Version:

1.1.5.89

MD5:

b850f09c4d491bcfe2017fbb09e19c52

SHA-1:

54d491d20fadd0f668bc6f4961d243a524ba8cfd

SHA-256:

37613e3fa2250de34312474f8160a1ce72be1724f4238d401d146e7938bfb432

Scanner detections:

18 / 68

Status:

Adware

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/19/2024 9:30:34 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Application.Bundler.Amonetize.12

880

Agnitum Outpost

PUA.Amonetize

7.1.1

AhnLab V3 Security

PUP/Win32.Amonetize

2014.08.23

Avira AntiVirus

ADWARE/Adware.Gen

7.11.168.226

AVG

Generic_r

2015.0.3358

Baidu Antivirus

Adware.Win32.Amonetize

4.0.3.1497

Bitdefender

Gen:Variant.Application.Bundler.Amonetize.12

1.0.20.1250

Dr.Web

Adware.Downware.8012

9.0.1.0250

ESET NOD32

Win32/Amonetize.BM (variant)

8.10299

F-Secure

Gen:Variant.Application.Bundler

11.2014-07-09_1

G Data

Gen:Variant.Application.Bundler.Amonetize.12

14.9.24

Kaspersky

not-a-virus:AdWare.Win32.Amonetize

14.0.0.3286

Malwarebytes

PUP.Optional.Amonetize

v2014.09.07.05

MicroWorld eScan

Gen:Variant.Application.Bundler.Amonetize.12

15.0.0.750

NANO AntiVirus

Riskware.Win32.Amonetize.ddtnan

0.28.2.61721

nProtect

Trojan-Clicker/W32.Amonetize.448704

14.08.22.01

Reason Heuristics

PUP.Installer.Wilmaonline.c

14.9.7.17

Zillya! Antivirus

Adware.Amonetize.Win32.722

2.0.0.1899

File size:

438.2 KB (448,704 bytes)

Product version:

1.1.5.89

Original file name:

setup.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

TUGUU DomaIQ Setup

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\flashplayer__4120_i1209003258_il28.exe

Digital Signature

Signed by:

Wilmaonline LTD.

Authority:

Thawte, Inc.

Valid from:

7/6/2014 8:00:00 PM

Valid to:

8/6/2015 7:59:59 PM

Subject:

CN=Wilmaonline LTD., O=Wilmaonline LTD., L=Raanana, S=Israel, C=IL

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

2B7DF4C242BFBB654DA05B78A86926AA

File PE Metadata

Compilation timestamp:

8/8/2014 11:14:44 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:fVV0zJWDkTOWpz7jsnvqJbYpUSJP+8oAXbzjVc/:nwTjBSDag2nebNc/

Entry address:

0x10FBF

Entry point:

E8, E2, 56, 00, 00, E9, 89, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 3C, 4E, 3A, 00, 00, 75, 18, E8, F5, 2E, 00, 00, 6A, 1E, E8, 3F, 2D, 00, 00, 68, FF, 00, 00, 00, E8, 37, F3, FF, FF, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 3C, 4E, 3A... 
[+]

Entropy:

7.6129

Code size:

100.5 KB (102,912 bytes)

The file flashplayer__4120_i1209003258_il28.exe has been seen being distributed by the following 5 URLs.

http://www.positivedownload.com/tdownload.php?s1=7fada14035aae4fb249e61473e56b0a57138e182&t1=1408752457&ref=www.winflashplayer.com&version=1.1.5.89&direct=1&prefix=FlashPlayersetup&campid=7343&ti1=lax1CNzCyLOys_WAcBACGJ3m_OHX2KKucyIMNzYuMTc4LjQwLjE2KAEw3LTfnwU.&ti2=PMZ&ti3=3274011&capp=FlashPlayer

http://www.more-files.com/allddT.html?ref=www.winflashplayer.com&version=1.1.5.89&direct=1&prefix=FlashPlayersetup&campid=7343&ti1=lax1CNzCyLOys_WAcBACGJ3m_OHX2KKucyIMNzYuMTc4LjQwLjE2KAEw3LTfnwU.&ti2=PMZ&ti3=3274011&capp=FlashPlayer

http://www.dd-files.com/get.html?ref=www.winflashplayer.com&version=1.1.5.89&direct=1&prefix=FlashPlayersetup&campid=7343&ti1=lax1CNzCyLOys_WAcBACGJ3m_OHX2KKucyIMNzYuMTc4LjQwLjE2KAEw3LTfnwU.&ti2=PMZ&ti3=3274011&capp=FlashPlayer

http://www.newhdplugin.net/direct-download.html?version=1.1.5.89&ci=7343&capp=FlashPlayer&ti1=lax1CNzCyLOys_WAcBACGJ3m_OHX2KKucyIMNzYuMTc4LjQwLjE2KAEw3LTfnwU.&ti2=PMZ&ti3=3274011

http://lax1.ib.adnxs.com/click?uKkBkvF38z9VAduvbnPwP0oMAiuHFvM_VQHbr25z8D-4qQGS8XfzPx0zP3zFilxzXCFyJpvVAXBc2vdTAAAAABv1MQA_AQAAdgIAAAIAAABUJQABpzYHAAAAAQBVU0QAVVNEACwB-gDdYwAAWZEAAgUAAQIAAJQADyUUDQAAAAA./cnd=!PgbaOQigh-4BENTKgAgYp-0cIAE./referrer=ysk.pe/clickenc=http://.../direct-download.html?version=1.1.5.89&ci=7343&capp=FlashPlayer&ti1=lax1CNzCyLOys_WAcBACGJ3m_OHX2KKucyIMNzYuMTc4LjQwLjE2KAEw3LTfnwU.&ti2=PMZ&ti3=3274011

Remove flashplayer__4120_i1209003258_il28.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.