firefox_setup.exe

Generic

Download Stream

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application firefox_setup.exe, “Generic Setup ” by Download Stream has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The installer is marketed through download protals and search ads as the free Mozilla Firefox web browser but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
Software internet   (signed by Download Stream)

Product:
Generic

Description:
Generic Setup

Version:
1.3.2.3

MD5:
ac2db2b7e9d14acb6ef5c192cc4c9ed6

SHA-1:
c3dad3caa59b4678f27c1ea1a5de66205bc587b6

SHA-256:
e8f887dea89de1d37b994d46b8e8b6ebe9703efd0b532428e8d1e221a22f00e3

Scanner detections:
6 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/27/2024 6:55:27 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.InstallCore.890
9.0.1.041

ESET NOD32
Win32/InstallCore.AAG potentially unwanted application
10.7.0.302.0

G Data
Win32.Application.InstallCore.EG
16.2.25

Malwarebytes
PUP.Optional.Bundle
v2016.02.10.12

Reason Heuristics
PUP.installCore.DownloadStream.Installer (M)
16.2.10.12

Vba32 AntiVirus
Malware-Cryptor.InstallCore.gen
3.12.26.4

File size:
775.2 KB (793,768 bytes)

Product version:
5.6.9

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\firefox_setup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
2/26/2015 5:00:00 PM

Valid to:
2/26/2017 4:59:59 PM

Subject:
CN=Download Stream, O=Download Stream, STREET="1930 Village Center Circle #3-1234", L=Las Vegas, S=NV, PostalCode=89134, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
6F743ED7A3F6BE2849D3B5B7D2D51E3A

File PE Metadata
Compilation timestamp:
6/19/1992 4:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:Y6SppmokAS0jdcNIbtfCV9HfOsby83wzBejPZtWhAz7s+lu5Gm9AA9iIjUvjGsJw:Y6SXmI2S14HfOs28A0DWWz5l5YcGsFw

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.8846

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file firefox_setup.exe has been seen being distributed by the following URL.

Remove firefox_setup.exe - Powered by Reason Core Security