× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 175995029aaa313ea16e160020e6e0c5b7c06f53b0e2a4299a4549e78c00df4d
File name: InsFlashPlay_1.2_.exe
Detection ratio: 12 / 54
Analysis date: 2015-01-10 15:22:42 UTC ( 4 years, 1 month ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Variant.Strictor.64312 20150110
AhnLab-V3 Trojan/Win32.Spnr 20150110
ALYac Gen:Variant.Strictor.64312 20150110
AVG Luhe.Fiha.A 20150110
BitDefender Gen:Variant.Strictor.64312 20150110
Emsisoft Gen:Variant.Strictor.64312 (B) 20150110
ESET-NOD32 a variant of Win32/TrojanDownloader.Autoit.NWO 20150110
F-Secure Gen:Variant.Strictor.64312 20150110
GData Gen:Variant.Strictor.64312 20150110
Kaspersky HEUR:Trojan-Downloader.Win32.Generic 20150110
Malwarebytes Trojan.Agent.ADPGen 20150110
McAfee-GW-Edition BehavesLike.Win32.Dropper.fc 20150110
AegisLab 20150110
Yandex 20150109
Antiy-AVL 20150110
Avast 20150110
Avira (no cloud) 20150110
Baidu-International 20150110
Bkav 20150109
ByteHero 20150110
CAT-QuickHeal 20150110
ClamAV 20150110
Comodo 20150110
Cyren 20150110
DrWeb 20150110
F-Prot 20150110
Fortinet 20150110
Ikarus 20150110
Jiangmin 20150109
K7AntiVirus 20150110
K7GW 20150110
Kingsoft 20150110
McAfee 20150110
Microsoft 20150110
eScan 20150110
NANO-Antivirus 20150110
Norman 20150110
nProtect 20150109
Panda 20150110
Qihoo-360 20150110
Rising 20150109
Sophos AV 20150110
SUPERAntiSpyware 20150110
Symantec 20150110
Tencent 20150110
TheHacker 20150106
TotalDefense 20150110
TrendMicro 20150110
TrendMicro-HouseCall 20150110
VBA32 20150110
VIPRE 20150110
ViRobot 20150110
Zillya 20150109
Zoner 20150107
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-01-08 23:04:30
Entry Point 0x000DAEE0
Number of sections 3
PE sections
PE imports
ImageList_Remove
GetSaveFileNameW
LineTo
IcmpSendEcho
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
WNetUseConnectionW
VariantInit
GetProcessMemoryInfo
DragFinish
LoadUserProfileW
IsThemeActive
VerQueryValueW
FtpOpenFileW
timeGetTime
CoGetObject
Number of PE resources by type
RT_STRING 7
RT_ICON 5
RT_GROUP_ICON 4
RT_MANIFEST 1
RT_MENU 1
RT_RCDATA 1
RT_VERSION 1
Number of PE resources by language
ENGLISH UK 19
NEUTRAL 1
PE resources
ExifTool file metadata
UninitializedDataSize
548864

LinkerVersion
11.0

ImageVersion
0.0

FileVersionNumber
0.0.0.0

LanguageCode
English (British)

FileFlagsMask
0x0000

CharacterSet
Unicode

InitializedDataSize
12288

EntryPoint
0xdaee0

MIMEType
application/octet-stream

TimeStamp
2015:01:09 00:04:30+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
5.1

OSVersion
5.1

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
348160

FileSubtype
0

ProductVersionNumber
0.0.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 2d05f04e1f2eb092ed81af79dbefa377
SHA1 605204f0256f0f053bac9c40f52f0bb181987342
SHA256 175995029aaa313ea16e160020e6e0c5b7c06f53b0e2a4299a4549e78c00df4d
ssdeep
6144:J+ssXv5jUA2OpjesAOfoTb+v+90TveVBciZnbCUxP4C9tgf/AN1LtdReCBJJKKrs:/Ov5jKhsfoPA+yeVKUCUxP4C902bdRto

authentihash 75c40ad1299d9262e0312f5514ce25e6e91da45107436eb31242df8ee3cac3f9
imphash ef471c0edf1877cd5a881a6a8bf647b9
File size 349.5 KB ( 357888 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (42.3%)
Win32 EXE Yoda's Crypter (36.7%)
Win32 Dynamic Link Library (generic) (9.1%)
Win32 Executable (generic) (6.2%)
Generic Win/DOS Executable (2.7%)
Tags
peexe upx

VirusTotal metadata
First submission 2015-01-10 15:22:42 UTC ( 4 years, 1 month ago )
Last submission 2015-02-05 15:31:41 UTC ( 4 years ago )
File names InsFlashPlay_1.2_.exe
file-7907031_exe
InsFlashPlay_1.2_.exe
virussign.com_2d05f04e1f2eb092ed81af79dbefa377.vir
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R047C0DJG15.

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
DNS requests