firefox-update.exe

Spiral Media

The application firefox-update.exe by Spiral Media has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Tomorrow Software Installer installer. The installer is marketed through download protals and search ads as the free Mozilla Firefox web browser but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
Tomorrow Software Installer  (signed by Spiral Media)

Product:
Tomorrow Software Installer

Version:
2.0.0.1

MD5:
109cd657b62aea71c1ec14456a019cef

SHA-1:
8af1e37df3d71f5bfcdd6b80fc0b3f26efe4f678

SHA-256:
5c5e8a79cfaa4163fe18210feeb6e5369e97f99a8845eb7a02642e49f38d5362

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/27/2024 6:31:15 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.TomorrowSoftware (M)
17.2.25.21

File size:
874.8 KB (895,800 bytes)

Product version:
2.0.0.1

Copyright:
Copyright (C) 2015

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Tomorrow Software Installer

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\firefox-update.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
6/23/2015 5:00:00 PM

Valid to:
6/23/2016 4:59:59 PM

Subject:
CN=Spiral Media, O=Spiral Media, L=San Francisco, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6D229836E7034F48BD411B17636E7FEF

File PE Metadata
Compilation timestamp:
6/28/2014 9:21:30 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0xC7A2

Entry point:
E8, 3C, 05, 00, 00, E9, 57, FD, FF, FF, CC, CC, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, 72, 0A, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E9, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 58, 4B, 41, 00, 89, 0D, 54, 4B, 41, 00, 89, 15, 50, 4B, 41, 00, 89, 1D, 4C, 4B, 41, 00, 89, 35, 48, 4B, 41, 00, 89, 3D, 44, 4B, 41, 00, 66, 8C, 15, 70, 4B, 41, 00, 66, 8C, 0D, 64, 4B, 41, 00, 66, 8C, 1D, 40, 4B, 41, 00, 66, 8C, 05, 3C...
 
[+]

Entropy:
7.9551  (probably packed)

Code size:
51.5 KB (52,736 bytes)

Remove firefox-update.exe - Powered by Reason Core Security