» FlashPlayer.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

FlashPlayer.exe

FlashPlayer

The executable FlashPlayer.exe has been detected as malware by 22 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Flash’. While running, it connects to the Internet address host-46.20.14.149.routergate.com on port 80 using the HTTP protocol.

File name:

FlashPlayer.exe

Product:

FlashPlayer

Version:

1.0.0.0

MD5:

ba42b4c9dc83ff9c4e64ac2b8841fe91

SHA-1:

dd46bc20983145cd6b363ba86e26fd5a7b28eaf4

SHA-256:

8d40f3b4e2605cdf10e4f2eaff80ee9f1ab99d388611df41dbef8e80e4b65c6c

Scanner detections:

22 / 68

Status:

Malware

Analysis date:

4/26/2024 12:32:52 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.2371325

626

Agnitum Outpost

Backdoor.Agent

7.1.1

Avira AntiVirus

TR/Clicker.180224

8.3.1.6

avast!

Win32:Dropper-gen [Drp]

2014.9-150519

AVG

Atros

2016.0.3104

Baidu Antivirus

Trojan.MSIL.Agent

4.0.3.15519

Bitdefender

Trojan.GenericKD.2371325

1.0.20.695

Emsisoft Anti-Malware

Trojan.GenericKD.2371325

8.15.05.19.02

ESET NOD32

MSIL/TrojanClicker.Agent.NKL

9.11650

Fortinet FortiGate

MSIL/TrojanClicker_Agent.NKL!tr

5/19/2015

F-Secure

Trojan.GenericKD.2371325

11.2015-19-05_3

G Data

Trojan.GenericKD.2371325

15.5.25

IKARUS anti.virus

Trojan.MSIL.TrojanClicker

t3scan.1.8.9.0

K7 AntiVirus

Trojan

13.204.15957

Kaspersky

Backdoor.MSIL.Agent

14.0.0.2017

McAfee

Artemis!BA42B4C9DC83

5600.6760

MicroWorld eScan

Trojan.GenericKD.2371325

16.0.0.417

nProtect

Trojan.GenericKD.2371325

15.05.19.01

Panda Antivirus

Trj/Keylogger.GS

15.05.19.02

Sophos

Mal/Generic-S

4.98

Trend Micro House Call

TROJ_GEN.R02SH09EB15

7.2.139

Vba32 AntiVirus

Trojan.MSIL.gen.a.11

3.12.26.3

File size:

176 KB (180,224 bytes)

Product version:

1.0.0.0

Original file name:

FlashPlayer.exe

File type:

Executable application (Win32 EXE)

Language:

Turkish (Turkey)

Common path:

C:\users\{user}\appdata\roaming\chromechoose\flashplayer.exe

File PE Metadata

Compilation timestamp:

4/22/2015 5:20:36 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

3072:5DX19MzmZVcXoST8029NNUGFp8NL8QScFhaLNHZPk4x068p1IpdhB6h:N19MSU297HpfiIL1dJPe9

Entry address:

0x5A1E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

15 KB (15,360 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Flash

Command:

C:\users\{user}\appdata\roaming\chromechoose\flashplayer.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to host-46.20.14.149.routergate.com (46.20.14.149:80)

Remove FlashPlayer.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.