frostwire.exe

The application frostwire.exe has been detected as a potentially unwanted program by 21 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from www.ifreedownloadss.com.
MD5:
2471acbfeeaf1bb05352a655caace607

SHA-1:
e8b25d52d570b1ce879f6eee1c4322520938b4c9

SHA-256:
e6701b211fb7d9def08c9e45bba8033368c7275bd26cfd5f945bb52575b7a36f

Scanner detections:
21 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
11/27/2024 6:37:30 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OutBrowse
7.1.1

AVG
MalSign.OutBrowse
2017.0.2749

Baidu Antivirus
HackTool.Win32.OutBrowse
4.0.3.1658

Comodo Security
Application.Win32.OutBrowse.~A
17981

Dr.Web
Adware.Downware.1770
9.0.1.0129

ESET NOD32
Win32/OutBrowse (variant)
10.9580

Fortinet FortiGate
Riskware/NSIS_OutBrowse
5/8/2016

G Data
Win32.Application.OutBrowse
16.5.24

IKARUS anti.virus
not-a-virus:Downloader.NSIS
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.176.11524

Kaspersky
not-a-virus:Downloader.NSIS.OutBrowse
14.0.0.242

Malwarebytes
PUP.Optional.OutBrowse
v2016.05.08.12

McAfee
RDN/Generic PUP.x!br3
5600.6405

NANO AntiVirus
Trojan.Win32.OutBrowse.csrlza
0.28.0.58491

Panda Antivirus
Trj/CI.A
16.05.08.12

Reason Heuristics
PUP.OutBrowse (M)
16.5.8.11

Sophos
OutBrowse
4.98

Trend Micro House Call
TROJ_GEN.R047C0EBN14
7.2.129

Trend Micro
TROJ_GEN.R047C0EBN14
10.465.08

Vba32 AntiVirus
Downloader.OutBrowse
3.12.24.3

VIPRE Antivirus
OutBrowse
27688

File size:
616 KB (630,743 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\frostwire.exe

File PE Metadata
Compilation timestamp:
12/5/2009 2:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:Y+FyhCfsMntd1zdwVWyK1EzotWlj+kzVX0xp+lHTNo5uLMxHeXAkepYsq4o:YuyhCfsMtpwof1EzotWln3M6VXopa4o

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9787

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file frostwire.exe has been seen being distributed by the following URL.

Remove frostwire.exe - Powered by Reason Core Security