firefox_setup.exe

saFe cLiCK lOL

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application firefox_setup.exe by saFe cLiCK lOL has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. With this installer, users are expecting to download the free Mozilla Firefox web browser but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
WDSLL  (signed by saFe cLiCK lOL)

Product:
WDSLL

Version:
7721.15531.1380.5625

MD5:
041fd24ec6e3e15f9878c3754ac7aea2

SHA-1:
d96fbfdf94ec4c1a9a8b376ff54c3a4cf2038a2c

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/25/2024 5:05:37 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Outbrowse.saFecLiC.Bundler (M)
16.4.7.10

File size:
744.4 KB (762,240 bytes)

Product version:
7721.15531.1380.5625

Copyright:
WDSLL

Trademarks:
WDSLL

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\Documents and Settings\{user}\My documents\downloads\firefox_setup.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
5/28/2015 5:30:00 AM

Valid to:
1/28/2016 5:29:59 AM

Subject:
CN=saFe cLiCK lOL, O=saFe cLiCK lOL, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
1D35B931645F649089CF2B35F1F31828

File PE Metadata
Compilation timestamp:
12/6/2009 4:22:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:wXOttdt7VcPstjZpIBAZwiUSFK02RP3zxwFTlSdzrIx6jNyfc8vy4hn:wAtdt7Vc+ZpoAwhSeRfz8wdzRN/86Y

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9839

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

Remove firefox_setup.exe - Powered by Reason Core Security