firefox_tsa1x7bi4.exe

ClientConnect LTD

The file belongs to the ClientConnect (Conduit/Perion) platform, a utility that bundles and monetizes search toolbars and browser add-ons. The application firefox_tsa1x7bi4.exe by ClientConnect has been detected as adware by 11 anti-malware scanners. The program is a setup application that uses the Perion Download Manager installer. With this installer, users are expecting to download the free Mozilla Firefox web browser but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
ClientConnect LTD  (signed and verified)

MD5:
e08e4acf71d56daf4e73eb8348837104

SHA-1:
9c99905bfe2dcb3594bc624bd7f7c01630ac8b13

SHA-256:
e19f3c7bf74778e0fe6a383ef1200f1fd6be7b0892a746559f8f757f0e3d8219

Scanner detections:
11 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/28/2024 10:03:07 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Adware-BRM [PUP]
150303-0

AVG
Generic
2016.0.3180

Dr.Web
Adware.Conduit.87
9.0.1.05190

ESET NOD32
Win32/ClientConnect.A potentially unwanted application
7.0.302.0

G Data
Win32.Application.ClientConnectConduitDL
15.3.25

Kaspersky
not-a-virus:WebToolbar.Win32.Agent
15.0.0.543

Malwarebytes
PUP.Optional.ClientConnect
v2015.03.04.09

NANO AntiVirus
Trojan.Win32.ClientConnect.deinfe
0.30.0.296

Qihoo 360 Security
HEUR/QVM30.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Bundler.Perion.Conduit
15.3.4.21

VIPRE Antivirus
Threat.4786236
38050

File size:
715.3 KB (732,416 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Perion Download Manager (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\firefox_tsa1x7bi4.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
2/4/2014 12:00:00 AM

Valid to:
2/5/2016 11:59:59 PM

Subject:
CN=ClientConnect LTD, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=AB Test B, O=ClientConnect LTD, L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
64159E29A8BF4BAC3C6280CA88B62F25

File PE Metadata
Compilation timestamp:
2/24/2012 7:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:kESItWVPgijwOp2NEbe+ZzL1ABLYv4GMQrpSk6CgNMBoigi8erCSBZDn:k9ItWVPgijwOp2aeYv4XQVtr2ElrCSn

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.9666

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file firefox_tsa1x7bi4.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to cms.dmccint.com  (23.67.242.80:80)

 
http://cms.dmccint.com/DynamicOffer/18562726/18583849/?mainofferId=18559292&CurrentStep=2&TotalSteps=4&DownloadBrowser=IE&CType=-1&UserMode=-1&DMVersion=1.3.8.85.18582715.01&Language=US-EN

Remove firefox_tsa1x7bi4.exe - Powered by Reason Core Security