» flashplayer__4369_i148345243_il14.exe
Overview
Analysis
File Details
Downloads (4)
Network (2)

flashplayer__4369_i148345243_il14.exe

Installer

Amonetize ltd.

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application flashplayer__4369_i148345243_il14.exe by Amonetize ltd has been detected as adware by 27 anti-malware scanners. The program is a setup application that uses the Amonetize Downloader installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. With this installer, users are expecting to download the free Adobe Flash Player but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.

File name:

Publisher:

Amônétízé Ltd (signed by Amonetize ltd.)

Product:

Installer

Version:

1.1.5.55

MD5:

3914888cdb3a34cdfdd6401f8117168e

SHA-1:

9a9ee521c01d87cd5e7202ac97a95f2d8b671c1e

SHA-256:

b30e57067a8141b961537c8b551ac35fe80307fa11dfef912fa725a1cf0bef98

Scanner detections:

27 / 68

Status:

Adware

Explanation:

This setup file is a re-distribution of the original program that bundles various adware offers during installation including toolbars and browser search extensions.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/25/2024 4:33:52 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Application.Bundler.Amonetize.14

772

AhnLab V3 Security

PUP/Win32.Amonetiz

2014.12.14

Avira AntiVirus

Adware/Amonetize.E

7.11.195.56

avast!

Win32:Amonetize-R [PUP]

2014.9-141225

AVG

Generic

2015.0.3250

Baidu Antivirus

Adware.Win32.Amonetize

4.0.3.141225

Bitdefender

Gen:Variant.Application.Bundler.Amonetize.14

1.0.20.1795

Comodo Security

ApplicUnwnt

20362

Dr.Web

Adware.Downware.2346

9.0.1.0359

ESET NOD32

Win32/Amonetize (variant)

8.10873

Fortinet FortiGate

MSIL/Kryptik.NM!tr

12/25/2014

F-Secure

Gen:Variant.Application.Bundler

11.2014-25-12_5

G Data

Gen:Variant.Application.Bundler.Amonetize.14

14.12.24

IKARUS anti.virus

Win32.SuspectCrc

t3scan.1.8.5.0

K7 AntiVirus

Unwanted-Program

13.187.14319

Kaspersky

not-a-virus:HEUR:AdWare.Win32.Amonetize

14.0.0.2743

Malwarebytes

PUP.Optional.InstallMonetizer

v2014.12.25.09

McAfee

Adware-Amonetize

5600.6906

MicroWorld eScan

Gen:Variant.Application.Bundler.Amonetize.14

15.0.0.1077

NANO AntiVirus

Riskware.Win32.Amonetize.dcnqqx

0.28.6.63850

Qihoo 360 Security

Win32/Virus.Adware.932

1.0.0.1015

Reason Heuristics

PUP.Installer.Amonetizeltd.b

14.12.25.9

Sophos

Amonetize

4.98

Trend Micro House Call

TROJ_SPNR.3AGS14

7.2.359

Trend Micro

TROJ_SPNR.3AGS14

10.465.25

VIPRE Antivirus

Amonetize

35710

Zillya! Antivirus

Backdoor.PePatch.Win32.41919

2.0.0.2005

File size:

330.5 KB (338,472 bytes)

Product version:

2.1.12

Original file name:

Installer.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

Amonetize Downloader

Language:

English (United States)

Common path:

C:\users\{user}\downloads\flashplayer__4369_i148345243_il14.exe

Digital Signature

Signed by:

Amonetize ltd.

Authority:

Thawte, Inc.

Valid from:

3/19/2013 1:00:00 AM

Valid to:

6/19/2015 1:59:59 AM

Subject:

CN=Amonetize ltd., O=Amonetize ltd., L=Raanana, S=Alberta, C=IL

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

235E7B2F1D4E0152189F6381E2BA8C97

File PE Metadata

Compilation timestamp:

11/24/2013 1:16:15 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:mXHGu21wSfAuUz5ExyvLUAhJ9oBis3XeDi+P4MnIs3rf3UnwkxXwnpBE:GHG5eSIuoEqUAh7wisn4A9mrf3Jpe

Entry address:

0x27053

Entry point:

E8, 74, 96, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF... 
[+]

Code size:

230 KB (235,520 bytes)

The file flashplayer__4369_i148345243_il14.exe has been seen being distributed by the following 4 URLs.

http://ad.propellerads.com/ck.php?oaparams=2__bannerid=65588__zoneid=10250__OXLCA=1__cb=ff91f40e21__oadest=http://.../download.php?version=1.1.5.55&campid=2570&capp=FlashPlayer&prefix=FlashPlayer&ti1=${SUBID}

http://ad.propellerads.com/ck.php?oaparams=2__bannerid=65156__zoneid=10769__OXLCA=1__cb=e5ce0def79__oadest=http://.../download.php?version=1.1.5.55&campid=2570&capp=FlashPlayer&prefix=FlashPlayer&ti1=${SUBID}

http://ad.propellerads.com/ck.php?oaparams=2__bannerid=65156__zoneid=10769__OXLCA=1__cb=3733e36a03__oadest=http://.../download.php?version=1.1.5.55&campid=2570&capp=FlashPlayer&prefix=FlashPlayer&ti1=${SUBID}

http://www.samedownload.com/download.php?version=1.1.5.55&prefix=FlashPlayerSetup&campid=4369&instid[appname]=FlashPlayer&instid[appsetupurl]=https://launchpad.net/lightspark/trunk/lightspark-0.5.3/ download/Lightspark-0.5.3-win32.exe&instid[appimageurl]=http://www.tsxnrey.com/i/White Smoke Inc/.../150x150_v1Logo.jpg&prefix=FlashPlayer&ti1=MTEwfDMzM3xBVHwzfDF8

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.soledownload.com (54.225.181.84:80)

TCP (HTTP):

Connects to www.activemonetizer.com (23.23.96.46:80)

http://www.activemonetizer.com/index.php?Net2=v2.0.50727&Net4=&OSversion=NT5.1SP3&Slv=&Sysid=B215676583&Sysid1=B215676583&X64=N&admin=Y&browser=IEXPLORE.EXE&chver=&exe=ikjut__15460472&offver=&lang_DfltUser=04

Remove flashplayer__4369_i148345243_il14.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.