flashplayer__4369_i268002322_il14.exe

Installer

Amonetize ltd.

This is the Amonetize download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application flashplayer__4369_i268002322_il14.exe by Amonetize ltd has been detected as adware by 17 anti-malware scanners. The program is a setup application that uses the Amonetize Downloader installer. The installer uses the InstallMonetizer platform which will donwload and install adware toolbars and other potentially unwanted software offers during setup. With this installer, users are expecting to download the free Adobe Flash Player but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
Amônétízé Ltd  (signed by Amonetize ltd.)

Product:
Installer

Version:
1.1.5.55

MD5:
5417f09906e3b00634d3c33c4da72d92

SHA-1:
16dc26982c4dc25e6163f155827874b3df264a1e

SHA-256:
c2d34fe4fec7e474801ddab6f7e811225fa982e9798465c6dc4298e5a5be0866

Scanner detections:
17 / 68

Status:
Adware

Explanation:
This setup file is a re-distribution of the original program that bundles various adware offers during installation including toolbars and browser search extensions.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
8/19/2018 9:21:52 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.02.01

avast!
Win32:Dropper-gen [Drp]
2014.9-140410

AVG
Generic5
2015.0.3508

Dr.Web
Adware.Downware.1655
9.0.1.0100

ESET NOD32
Win32/Amonetize.AA (variant)
8.9364

Fortinet FortiGate
Riskware/Amonetize
4/10/2014

G Data
Win32.Trojan.Agent.GOH72L
14.4.24

K7 AntiVirus
Unwanted-Program
13.175.11028

K7 Gateway Antivirus
Unwanted-Program
13.175.11028

Malwarebytes
PUP.Optional.InstallMonetizer
v2014.04.10.04

McAfee
Adware-Amonetize!5417F09906E3
5600.7164

McAfee Web Gateway
Adware-Amonetize!5417F09906E3
7.7164

Panda Antivirus
Suspicious file
14.04.10.04

Reason Heuristics
PUP.Installer.Amonetizeltd.b
14.8.7.20

Sophos
Amonetize
4.97

Trend Micro House Call
TROJ_GEN.F47V0115
7.2.100

VIPRE Antivirus
Amonetize
26006

File size:
329 KB (336,936 bytes)

Product version:
2.1.12

Copyright:
(c) Amônétízé Ltd, 2012,2013. All rights reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Amonetize Downloader

Language:
English (United States)

Common path:
C:\users\{user}\downloads\flashplayer__4369_i268002322_il14.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
3/19/2013 1:00:00 AM

Valid to:
6/19/2015 1:59:59 AM

Subject:
CN=Amonetize ltd., O=Amonetize ltd., L=Raanana, S=Alberta, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
235E7B2F1D4E0152189F6381E2BA8C97

File PE Metadata
Compilation timestamp:
1/15/2014 6:11:40 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:sfOpdUmRui8nHygPxBRMBZBTyDleFw6oHLb2C4X9QtQ/0Re8pH0:sOzUmRV8PPxB2ZBKUoHGjX9QvpH0

Entry address:
0x26C43

Entry point:
E8, 77, 96, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF...
 
[+]

Code size:
229 KB (234,496 bytes)

The file flashplayer__4369_i268002322_il14.exe has been seen being distributed by the following 14 URLs.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.soledownload.com  (54.225.181.84:80)

TCP (HTTP):
Connects to www.activemonetizer.com  (23.23.96.46:80)

 
http://www.activemonetizer.com/index.php?Net2=v2.0.50727&Net4=&OSversion=NT5.1SP3&Slv=&Sysid=B24031001&Sysid1=B24031001&X64=N&admin=Y&browser=IEXPLORE.EXE&chver=&exe=ikjut__3814890&offver=&lang_DfltUser=04

Remove flashplayer__4369_i268002322_il14.exe - Powered by Reason Core Security