× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7f7bd5f002de9aedde4fa5dca5356cf576c95eb58bd85178d0781dfc0a1a6ca4
File name: FlashPlayer_Guncelle.exe
Detection ratio: 36 / 50
Analysis date: 2014-03-21 21:17:19 UTC ( 3 years, 7 months ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Variant.Symmi.38822 20140321
Yandex Trojan.Foreign!Kpdi2dwrnws 20140321
AntiVir TR/Kazy.323825.8 20140321
Antiy-AVL Trojan[Ransom]/Win32.Foreign 20140320
Avast Win32:Febiturk-B [Trj] 20140321
AVG Generic35.BMNQ 20140321
Baidu-International Trojan.Win32.Ransom.aFK 20140321
BitDefender Gen:Variant.Symmi.38822 20140321
Comodo UnclassifiedMalware 20140321
DrWeb Trojan.Guncelle.2 20140321
Emsisoft Gen:Variant.Symmi.38822 (B) 20140321
ESET-NOD32 Win32/TrojanDownloader.VB.QJF 20140321
F-Secure Trojan:W32/Kilim.P 20140321
Fortinet W32/Foreign.KCME!tr 20140321
GData Gen:Variant.Symmi.38822 20140321
Ikarus Trojan.Win32.Nixofro 20140321
K7AntiVirus Trojan-Downloader ( 0049417d1 ) 20140321
K7GW Trojan-Downloader ( 0049417d1 ) 20140321
Kaspersky Trojan-Ransom.Win32.Foreign.kcme 20140321
Kingsoft Win32.Troj.Undef.(kcloud) 20140321
Malwarebytes Trojan.Agent 20140321
McAfee Artemis!28C3C503D398 20140321
McAfee-GW-Edition Artemis!28C3C503D398 20140321
Microsoft Trojan:Win32/Nixofro.A 20140321
eScan Gen:Variant.Symmi.38822 20140321
NANO-Antivirus Trojan.Win32.Foreign.ctjhyf 20140321
Norman Troj_Generic.SKLLJ 20140321
Panda Generic Malware 20140321
Qihoo-360 Win32/Trojan.Ransom.6a7 20140321
Sophos AV Mal/Generic-S 20140321
SUPERAntiSpyware Trojan.Agent/Gen-Undef 20140321
Symantec Trojan.Gen.2 20140321
TrendMicro TROJ_SPNR.35CD14 20140321
TrendMicro-HouseCall TROJ_SPNR.35CD14 20140321
VBA32 Hoax.Foreign 20140321
VIPRE Trojan.Win32.Generic!BT 20140321
AegisLab 20140321
AhnLab-V3 20140321
Bkav 20140321
ByteHero 20140321
CAT-QuickHeal 20140320
ClamAV 20140321
CMC 20140319
Commtouch 20140321
F-Prot 20140321
Jiangmin 20140321
nProtect 20140321
Rising 20140321
TheHacker 20140321
TotalDefense 20140321
ViRobot 20140321
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright (C) Adobe Systems Incorporated

Product Adobe Flash Player Installer
Original name host.exe
Internal name host.exe
File version 3.3.9.0
Description Adobe Flash Player Installer
Packers identified
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-01-26 03:13:06
Entry Point 0x001A14A0
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
Ord(580)
Number of PE resources by type
RT_ICON 24
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 25
ENGLISH US 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
1.0

FileSubtype
0

FileVersionNumber
3.3.9.0

UninitializedDataSize
1425408

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Windows, Latin1

InitializedDataSize
798720

EntryPoint
0x1a14a0

OriginalFileName
host.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) Adobe Systems Incorporated

FileVersion
3.3.9.0

TimeStamp
2014:01:26 04:13:06+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
host.exe

ProductVersion
3.3.9.0

FileDescription
Adobe Flash Player Installer

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Solid State Networks

CodeSize
282624

ProductName
Adobe Flash Player Installer

ProductVersionNumber
3.3.9.0

Warning
Possibly corrupt Version resource

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 28c3c503d398914bdd2c2b3fdc1f9ea4
SHA1 c5f1a5a49386f9dcd83029191fa7d5e99f8cf027
SHA256 7f7bd5f002de9aedde4fa5dca5356cf576c95eb58bd85178d0781dfc0a1a6ca4
ssdeep
12288:F0ZI89t44eGnTWqLCH+I8bmJZOeZIc3OXoVGMcP:Z0t+QTWMCH+I8bXeZIoTGMc

authentihash a7d7d3f5fe5ba9941ae678eb2fcf7afa9a6d76dc9aa921a35ac16b563161c3bf
imphash 5f116d8e20f7d894b4b4ecbad1704009
File size 1.0 MB ( 1078272 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (46.5%)
Win32 EXE Yoda's Crypter (40.4%)
Win32 Executable (generic) (6.8%)
Generic Win/DOS Executable (3.0%)
DOS Executable Generic (3.0%)
Tags
peexe upx

VirusTotal metadata
First submission 2014-02-01 15:22:59 UTC ( 3 years, 8 months ago )
Last submission 2016-06-30 11:06:37 UTC ( 1 year, 3 months ago )
File names host.exe
FlashPlayer_Guncelle.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications