firefox.exe

Multiply ROI, Inc

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application firefox.exe by Multiply ROI, Inc has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The installer is marketed through download protals and search ads as the free Mozilla Firefox web browser but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
firefox  (signed by Multiply ROI, Inc)

Product:
firefox

Version:
1.0

MD5:
35375b301a2c97ab356575e9e6a9d182

SHA-1:
ac102833b9dcfca178d9272cd1b579b542bbd5b8

SHA-256:
81e9219b27158a70301691ed0bc43a2b237424906a9345d827aed67777cf1f7b

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/24/2024 12:38:31 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OutBrowse
7.1.1

Dr.Web
Adware.Downware.1449
9.0.1.0213

ESET NOD32
Win32/OutBrowse (variant)
8.9175

Fortinet FortiGate
Riskware/Wajam
8/1/2014

herdProtect (fuzzy)
2014.9.11.6

Malwarebytes
PUP.Optional.OutBrowse
v2014.08.01.08

McAfee
Artemis!20AEC94BF0E0
5600.7011

Reason Heuristics
PUP.MultiplyROI.H
14.8.7.21

Trend Micro House Call
TROJ_GEN.F47V1208
7.2.213

Vba32 AntiVirus
Downloader.OutBrowse
3.12.24.3

VIPRE Antivirus
OutBrowse
24382

File size:
622.3 KB (637,240 bytes)

Copyright:
© firefox

Trademarks:
firefox

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\firefox.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
2/27/2013 6:00:00 PM

Valid to:
2/26/2014 5:59:59 PM

Subject:
CN="Multiply ROI, Inc", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Multiply ROI, Inc", L=San Francisco, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
071EA95218ABA65B6DE651F0EFE6F136

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:8Djvd/5V3Pz/3ovFUNkC9vg8kYFwn1Z0DqNPrVvpMVwJSBx03VzEfdO:8D7x3LQNUHvLUf3NPrViwowVz8O

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9786

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file firefox.exe has been seen being distributed by the following URL.

Remove firefox.exe - Powered by Reason Core Security