mozilla firefox setup.exe

WeDownload, Ltd

The application mozilla firefox setup.exe by WeDownload has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Midia Downloader installer. With this installer, users are expecting to download the free Mozilla Firefox web browser but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware. The file has been seen being downloaded from mozilla-firefox.todownload.com.
Publisher:
WeDownload, Ltd  (signed and verified)

Version:
1.0.0.0

MD5:
0ccfc5ec5ddd4e0ced9aabefa8f737a0

SHA-1:
7df4227f923fa071fd68cabe0dd58c54c86b7e11

SHA-256:
31ffb1971d41523e80229f31af81ea009b3df181ff8466f30265a01c59514dc3

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/24/2024 4:54:00 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WeDownload (M)
16.7.27.13

File size:
1.1 MB (1,160,856 bytes)

Product version:
1.0.0.0

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Midia Downloader

Language:
English (United States)

Common path:
C:\users\{user}\downloads\mozilla firefox setup.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
2/5/2013 4:00:00 PM

Valid to:
2/11/2016 4:00:00 AM

Subject:
CN="WeDownload, Ltd", O="WeDownload, Ltd", L=Nicosia, C=CY

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0320C5B8F7CE6E92D3665598826A4480

File PE Metadata
Compilation timestamp:
7/15/2013 2:58:54 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:MFVRc+TS2Mt1nFae2kRgNvs8/JmJj82UlJh6Ur6ce7BgctM:MTRlTSrgN3q1UPf9e7B5t

Entry address:
0x37B960

Entry point:
60, BE, 00, A0, 67, 00, 8D, BE, 00, 70, D8, FF, C7, 87, 34, 9C, 2C, 00, 36, 68, 14, 46, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Entropy:
7.8977

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
1 MB (1,060,864 bytes)

The file mozilla firefox setup.exe has been seen being distributed by the following URL.

Remove mozilla firefox setup.exe - Powered by Reason Core Security