1clickdownload_1cd_16_0_setup.exe

Cool Mirage ltd.

This is the setup program for CoolMirage, a potentially unwanted program (PUP) that display ads on the computer. The application 1clickdownload_1cd_16_0_setup.exe by Cool Mirage ltd has been detected as adware by 20 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent. The file has been seen being downloaded from dl-vip.appstore.baidu.co.th and multiple other hosts.
Publisher:
Cool Mirage ltd.  (signed and verified)

MD5:
13f77ab6a2f37ea84ae904942123bbe4

SHA-1:
d1f0c6bb85d0d514e71558609c9efe251f8ab8e1

SHA-256:
25b9ce6e156aad4e8ac5f750e18de12e0fd0a646e0d61c5228d36a05a334480a

Scanner detections:
20 / 68

Status:
Adware

Explanation:
May bundle additional potentially unwanted software such as adware during setup.

Analysis date:
11/22/2024 8:03:35 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/CoolMirage.Gen6
7.11.157.148

avast!
NSIS:Oneclick-Z [PUP]
2014.9-140701

Bkav FE
W32.Clod213.Trojan
1.3.0.4959

Comodo Security
Application.Win32.MCool.A
18716

McAfee
Artemis!13F77AB6A2F3
5600.7083

NANO AntiVirus
Riskware.Nsis.Downware.czyjkl
0.28.0.60475

Reason Heuristics
PUP.Installer.CoolMirageltd.DD
14.8.7.18

Sophos
FT Downloader
4.98

SUPERAntiSpyware
PUP.BundleInstaller
10511

VIPRE Antivirus
CoolMirage Ltd
30800

File size:
175.2 KB (179,408 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\1clickdownload_1cd_16_0_setup.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
11/14/2012 4:00:00 AM

Valid to:
11/15/2014 3:59:59 AM

Subject:
CN=Cool Mirage ltd., O=Cool Mirage ltd., STREET=ogarit 39, L=tel aviv, S=tel aviv, PostalCode=69016, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00FC28659CC8073606EF4D09A1994B1AD0

File PE Metadata
Compilation timestamp:
12/6/2009 2:50:46 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:OQIURTXJf45+cqy0w0Z549jntxd5xXcjFQMCY34ug9JJE2qP:OsF1cop54JvdPw7/4ug9JG5

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.7684

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file 1clickdownload_1cd_16_0_setup.exe has been seen being distributed by the following 2 URLs.

http://dl-vip.appstore.baidu.co.th/.../1ClickDownloader-2.1.exe

Remove 1clickdownload_1cd_16_0_setup.exe - Powered by Reason Core Security