mozilla-firefox.exe

Dumodolir

UpdateStar GmbH

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application mozilla-firefox.exe, “Dumodolir Setup ” by UpdateStar GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The installer is marketed through download protals and search ads as the free Mozilla Firefox web browser but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
UpdateStar GmbH  (signed and verified)

Product:
Dumodolir

Description:
Dumodolir Setup

Version:
4.3.1.7

MD5:
9407b6cb28cf37fa91436ee810d1e471

SHA-1:
a52659d0300188e798c59bd4ba76f00388ef73c7

SHA-256:
b96073ea955c9c76bdb0973f78dd95725b911f807fb65508d6879defc2f4971f

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
12/24/2024 4:06:00 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore (M)
16.7.25.20

File size:
1.1 MB (1,141,864 bytes)

Product version:
1.3

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\mozilla-firefox.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
1/25/2016 11:35:00 AM

Valid to:
3/23/2017 3:24:09 PM

Subject:
CN=UpdateStar GmbH, O=UpdateStar GmbH, L=Berlin, S=Berlin, C=DE

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121C7585A2F5B2218EC6B36D472BA6496D8

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:ItHtkqnjK038XSVOnLSLoIfSsAALkKqu3MuxU8RcZnIZc+MCS/ZWuMyc:I1+gNwEffBA+H8uxcX8OW1

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, BF, A9, FF, FF, E8, 5E, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file mozilla-firefox.exe has been seen being distributed by the following URL.

Remove mozilla-firefox.exe - Powered by Reason Core Security