firefox.exe

vid plaY

The application firefox.exe by vid plaY has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from get.sad1209.info.
Publisher:
vid plaY  (signed and verified)

MD5:
a2a65e61f3cf025a1796a7b0e71a618d

SHA-1:
f629f06624a24a15471e206197a77aa5d41923b3

SHA-256:
e71e255e8898a35d77da0149dee252d272a8e420b7d2c193a8291041855cddf2

Scanner detections:
13 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
12/24/2024 5:01:06 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OutBrowse
7.1.1

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.04.17

AVG
Downloader
2016.0.3137

Dr.Web
Trojan.OutBrowse.334
9.0.1.05190

ESET NOD32
Win32/OutBrowse.BU potentially unwanted application
7.0.302.0

F-Prot
W32/Outbrowse.B2.gen
v6.4.7.1.166

K7 AntiVirus
Adware
13.202.15623

Malwarebytes
PUP.Optional.Outbrowse.Gen
v2015.04.17.08

McAfee
Program.Adware-OutBrowse.e
16.8.708.2

NANO AntiVirus
Trojan.Win32.OutBrowse.dpuxby
0.30.16.1110

Quick Heal
Adware.NSIS.OutBrowse.A
4.15.14.00

Reason Heuristics
Threat.Outbrowse.Installer.Outborwse
15.4.17.2

VIPRE Antivirus
Threat.5085447
38882

File size:
574.9 KB (588,680 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\firefox.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
3/15/2015 5:00:00 PM

Valid to:
12/17/2015 3:59:59 PM

Subject:
CN=vid plaY, O=vid plaY, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
35A9C40292102727C460D1CD1111D5B0

File PE Metadata
Compilation timestamp:
12/5/2009 2:52:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:bI+OEyIJeYQ8Af1ifITufJNn83O1+zs3N0PKZ:bI+xeY9AtifYuM3O4Q9

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9423

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file firefox.exe has been seen being distributed by the following URL.

Remove firefox.exe - Powered by Reason Core Security