firefox_download.exe

Nod

PlatformPrompt (Alpha Criteria Ltd.)

The application firefox_download.exe, “Nod Setup ” by PlatformPrompt (Alpha Criteria) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. With this installer, users are expecting to download the free Mozilla Firefox web browser but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
Kadom   (signed by PlatformPrompt (Alpha Criteria Ltd.))

Product:
Nod

Description:
Nod Setup

Version:
3.3.5.3

MD5:
b365496e19ab650681b241a687e3ef10

SHA-1:
4cf9b57e79fecceafae05035d3f04afc8c277574

SHA-256:
278ec45cf2b397e7f29ce8ad6237a78a380e4843a4e83f66d127e9a7e5b78d11

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/22/2024 10:05:23 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCore.AC (M)
17.3.14.10

File size:
981.9 KB (1,005,424 bytes)

Product version:
2.8

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\firefox_download.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
12/16/2015 1:17:26 PM

Valid to:
9/2/2016 1:02:46 PM

Subject:
CN=PlatformPrompt (Alpha Criteria Ltd.), O=PlatformPrompt (Alpha Criteria Ltd.), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112111817CD313A533F2A76178D4452F81A6

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file firefox_download.exe has been seen being distributed by the following URL.

http://www.laboratorybulkdl.com/ID_4hocu_fWN6L8fckTsGZXGNw6JVugmdH p8n1Ch1KxqfEix6zfjNe5STIPZ6TOH52bT2GhXRsyxdLOQYd5cFrNVlJ4FApH1TqN8iNnx89HQEYDLh143K5AOnHepA hnkiLgFHcxvtywf2NO8Qw37kwTZ5ZVlTsmH wUQBG3fBYr_h42LGjCKGeCNOeesIP5zx06z3oOFfs0CQk37ABlnB39FFkSxaL9rK3lsiZIJsf2AIq6IP H4GKKs8mtAwmlseTB2ttNMM44jdncQlB7gW029OEXqJFgL6vjj_rPD9SMJdu7oLP gQJlrhhblssn1oL MTfu6BFr5a66HSP3ZlRrJ7H0elEVjoKiIUDl8bCBxp_V2BbqD3rr9vb9D9JGIBnY4GP7bTEDdAd6mX6afpF1hvyj6FPcWeWpCERnqOsoT7sUSZ9vbx7xDgTuP4CJd4g_Lj2lshSBeVziSzsQXYzra6dvSOGuPL2yiRCg4r9esr_AOHdMjIp87s c1kT9RO51nin1E4gnpyIYLY8nS7r2qCpEGZzuDLLE9D3fdZhNQBL C14hdfM y22z6L_VGcQ6xKbB5c6_HwSH nVyZmK52h1WHZe1 xCxBGBrfVOmfx__22eAcYeX_h0dKKJjRRxTYDkmakb6ZADc vagjf15gEMMVbLZSzLBaRT9rsfvX7hrGFmG7JnMrIkqNIwUl9rChmkKh0k_lzv4ET35B3gNkufV_AZmtyJmPJwUlFVwj2xrZYOXBdo8SIIb1e9eUR IWBzApyW3CcXrtoxBAU2iHMx4UihaNWclSBankQhqzR4QSk=-GzkAAARqm OkjmNEfxARDmEQgUMOHL5jRFkgWm_eB_LGl2tD6Yv6ZZPjYncXSQdwoshtwnkA

Remove firefox_download.exe - Powered by Reason Core Security