» firefox_setup.exe
Overview
Analysis
File Details

firefox_setup.exe

saFe cLiCK lOL

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application firefox_setup.exe by saFe cLiCK lOL has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the OutBrowse Revenyou installer. With this installer, users are expecting to download the free Mozilla Firefox web browser but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.

File name:

firefox_setup.exe

Publisher:

WDSLL (signed by saFe cLiCK lOL)

Product:

WDSLL

Version:

7721.15531.1380.5625

MD5:

041fd24ec6e3e15f9878c3754ac7aea2

SHA-1:

d96fbfdf94ec4c1a9a8b376ff54c3a4cf2038a2c

Scanner detections:

1 / 68

Status:

Adware

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

11/23/2024 11:12:06 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Outbrowse.saFecLiC.Bundler (M)

16.4.7.10

File size:

744.4 KB (762,240 bytes)

Product version:

7721.15531.1380.5625

WDSLL

Trademarks:

WDSLL

File type:

Executable application (Win32 EXE)

Bundler/Installer:

OutBrowse Revenyou (using Nullsoft Install System)

Language:

Language Neutral

Common path:

C:\Documents and Settings\{user}\My documents\downloads\firefox_setup.exe

Digital Signature

Signed by:

saFe cLiCK lOL

Authority:

thawte, Inc.

Valid from:

5/28/2015 5:30:00 AM

Valid to:

1/28/2016 5:29:59 AM

Subject:

CN=saFe cLiCK lOL, O=saFe cLiCK lOL, L=Dublin, S=Dublin, C=IE

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

1D35B931645F649089CF2B35F1F31828

File PE Metadata

Compilation timestamp:

12/6/2009 4:22:12 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:wXOttdt7VcPstjZpIBAZwiUSFK02RP3zxwFTlSdzrIx6jNyfc8vy4hn:wAtdt7Vc+ZpoAwhSeRfz8wdzRN/86Y

Entry address:

0x30FA

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, 1C, 45, 00, E8, F1, 2B, 00, 00, A3, 64, 1B, 45, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 37, 43, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, DB, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, A0, 47, 00, 50, 57, E8, 92, 28, 00, 00... 
[+]

Entropy:

7.9839

Packer / compiler:

Nullsoft install system v2.x

Code size:

23.5 KB (24,064 bytes)

Remove firefox_setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.