× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 0fea14ad9427dd20bf3ac2cc8442f39b51628840b1af6ed43bfe19bcf02af5d7
File name: install_flashplayer11x32_mssd_aih.exe
Detection ratio: 1 / 42
Analysis date: 2012-05-04 19:49:34 UTC ( 6 years, 11 months ago ) View latest
Antivirus Result Update
Comodo TrojWare.Win32.Trojan.Agent.Gen 20120504
AhnLab-V3 20120504
AntiVir 20120504
Antiy-AVL 20120504
Avast 20120504
AVG 20120504
BitDefender 20120504
ByteHero 20120502
CAT-QuickHeal 20120504
ClamAV 20120504
Commtouch 20120504
DrWeb 20120504
Emsisoft 20120504
eSafe 20120502
eTrust-Vet 20120504
F-Prot 20120504
F-Secure 20120504
Fortinet 20120504
GData 20120504
Ikarus 20120504
Jiangmin 20120504
K7AntiVirus 20120504
Kaspersky 20120504
McAfee 20120504
McAfee-GW-Edition 20120504
Microsoft 20120504
NOD32 20120504
Norman 20120504
nProtect 20120504
Panda 20120504
PCTools 20120504
Rising 20120504
Sophos AV 20120504
SUPERAntiSpyware 20120411
Symantec 20120504
TheHacker 20120504
TrendMicro 20120504
TrendMicro-HouseCall 20120504
VBA32 20120504
VIPRE 20120504
ViRobot 20120504
VirusBuster 20120504
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) Adobe Systems Incorporated

Product Adobe Flash Player Installer
Original name host.exe
Internal name host.exe
File version 3.2.1.35
Description Adobe Flash Player Installer
Signature verification Signed file, verified signature
Signing date 10:50 PM 4/9/2012
Signers
[+] Adobe Systems Incorporated
Status This certificate or one of the certificates in the certificate chain is not time valid., Trust for this certificate or one of the certificates in the certificate chain has been revoked.
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid from 12:00 AM 12/15/2010
Valid to 11:59 PM 12/14/2012
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint FDF01DD3F37C66AC4C779D92623C77814A07FE4C
Serial number 15 E5 AC 0A 48 70 63 71 8E 39 DA 52 30 1A 04 88
[+] VeriSign Class 3 Code Signing 2010 CA
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 12:00 AM 02/08/2010
Valid to 11:59 PM 02/07/2020
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 495847A93187CFB8C71F840CB7B41497AD95C64F
Serial number 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7
[+] VeriSign
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 12:00 AM 11/08/2006
Valid to 11:59 PM 07/16/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
Counter signers
[+] VeriSign Time Stamping Services Signer - G2
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 12:00 AM 06/15/2007
Valid to 11:59 PM 06/14/2012
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Serial number 38 25 D7 FA F8 61 AF 9E F4 90 E7 26 B5 D6 5A D5
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 12:00 AM 12/04/2003
Valid to 11:59 PM 12/03/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 01/01/1997
Valid to 11:59 PM 12/31/2020
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT UPX, ZIP
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-03-16 23:27:10
Entry Point 0x00070B50
Number of sections 3
PE sections
Overlays
MD5 0eb233fec86ee455d9d10a44625e33cd
File type application/zip
Offset 206848
Size 589000
Entropy 7.99
PE imports
BitBlt
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
SysFreeString
SHGetMalloc
CoCreateGuid
Number of PE resources by type
RT_ICON 14
RT_GROUP_ICON 2
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 18
PE resources
ExifTool file metadata
SubsystemVersion
5.0

InitializedDataSize
28672

ImageVersion
0.0

ProductName
Adobe Flash Player Installer

FileVersionNumber
3.2.1.35

UninitializedDataSize
278528

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
Executable, 32-bit

CharacterSet
Windows, Latin1

LinkerVersion
9.0

FileTypeExtension
exe

OriginalFileName
host.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
3.2.1.35

TimeStamp
2012:03:16 23:27:10+00:00

FileType
Win32 EXE

PEType
PE32

InternalName
host.exe

ProductVersion
3.2.1.35

FileDescription
Adobe Flash Player Installer

OSVersion
5.0

FileOS
Win32

LegalCopyright
Copyright (C) Adobe Systems Incorporated

MachineType
Intel 386 or later, and compatibles

CompanyName
Solid State Networks

CodeSize
180224

FileSubtype
0

ProductVersionNumber
3.2.1.35

EntryPoint
0x70b50

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
PE resource-wise parents
Compressed bundles
File identification
MD5 8eb1badfba54939be4201516b0f11736
SHA1 3ab1a7f54f575b603d75341d684e24bdfda61837
SHA256 0fea14ad9427dd20bf3ac2cc8442f39b51628840b1af6ed43bfe19bcf02af5d7
ssdeep
12288:x3efPwr5ORPboi1DLkoJWJikD1BdtKJvT7Lby:x8c5ORPbonikbfKhHLG

authentihash a06c2b1b7429fbf6ee249e96c491251716d98a5d6d555615db3a2abca4014d17
imphash 64f576e6dae5b8a3387472d6a4248561
File size 777.2 KB ( 795848 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (38.2%)
Win32 EXE Yoda's Crypter (37.5%)
Win32 Dynamic Link Library (generic) (9.2%)
Win32 Executable (generic) (6.3%)
OS/2 Executable (generic) (2.8%)
Tags
revoked-cert peexe signed upx overlay

VirusTotal metadata
First submission 2012-04-24 04:46:49 UTC ( 6 years, 12 months ago )
Last submission 2018-08-02 21:04:40 UTC ( 8 months, 3 weeks ago )
File names test.exe
install_flashplayer11x32_chra_aih.exe
flash-player-1405-jetelecharge.exe
install_flashplayer11232_mssd_aih.exe
install_flashplayer11x32_mssa_aih(1).exe
install_flashplayer11x32_aih.exe
8eb1badfba54939be4201516b0f
8eb1badfba54939be4201516b0f11736
output.14983633.txt
install_flashplayer11x32_chrd_aih.exe
install_flashplayer11x32_mssd_aih -firefox.exe
0FEA14AD9427DD20BF3AC2CC8442F39B51628840B1AF6ED43BFE19BCF02AF5D7
flashplayer_11_other.exe
vol2-C..ProgramData.Microsoft.Windows.DRM.install_flashplayer.exe
install_flashplayer11x32_mssd_aih(2).exe
install_flashplayer11x32_mssd_aih(1).exe
59FE5870C8B9315624CB0C59D29246002F643137.exe
install_flashplayer11x32_mssd_aih.exe?token=1337429676_974a4f4d6441710c5a0aa8a99b3f1884
Копия install_flashplayer11x32_chrd_aih.exe
14983633
202500.malware
install_flashplayer11x32_mssd_aih.exe
0FEA14AD9427DD20BF3AC2CC8442F39B51628840B1AF6ED43BFE19BCF02AF5D7.dat
install_flashplayer11x32_mssd_aih.exe?token=1336858145_e96a67a6b8078624d5c22927bcd84151
file-3851023_exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!