mozilla firefox.exe

StART NOW

This is the OutBrowse Revenyou installer which bundles offers for additional third party applications that may be unwanted and installed without consent. The application mozilla firefox.exe by StART NOW has been detected as adware by 19 anti-malware scanners. The program is a setup application that uses the OutBrowse Revenyou installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from get.softworldfiles.com.
Publisher:
StART NOW  (signed and verified)

MD5:
eaa30ca14c291a2292faa03d98f94cbc

SHA-1:
edacf6b34ebe7e59b5af9739df1dde403ade27bd

SHA-256:
b451e4dc867c1d09186b558c76f7abb26f7ca761b465221459db38b3bd4d5057

Scanner detections:
19 / 68

Status:
Adware

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/15/2024 6:11:55 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Bundler.Outbrowse.1
6376365

Agnitum Outpost
PUA.OutBrowse
7.1.1

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.02.19

Avira AntiVirus
APPL/Downloader.Gen
7.11.210.224

AVG
Potentially harmful program Downloader.DJP
2014.0.4257

Bitdefender
Gen:Variant.Application.Bundler.Outbrowse.1
1.0.20.245

Dr.Web
Trojan.OutBrowse.92
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Application.Bundler.Outbrowse
9.0.0.4799

ESET NOD32
Win32/OutBrowse.BU potentially unwanted application
7.0.302.0

Fortinet FortiGate
Riskware/OutBrowse
2/18/2015

F-Secure
Gen:Variant.Application.Bundler
11.2015-18-02_4

G Data
Gen:Variant.Application.Bundler.Outbrowse
15.2.25

K7 AntiVirus
Trojan
13.196.15005

McAfee
Adware-OutBrowse.e
5600.6851

MicroWorld eScan
Gen:Variant.Application.Bundler.Outbrowse.1
16.0.0.147

NANO AntiVirus
Trojan.Win32.OutBrowse.dnpjkd
0.30.0.126

Reason Heuristics
PUP.Outbrowse
15.2.18.10

Trend Micro House Call
Suspici.BD67879B
7.2.49

VIPRE Antivirus
Threat.4150696
37588

File size:
599 KB (613,416 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
OutBrowse Revenyou (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\mozilla firefox.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
2/4/2015 6:00:00 PM

Valid to:
12/11/2015 5:59:59 PM

Subject:
CN=StART NOW, O=StART NOW, L=Dublin, S=Dublin, C=IE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
49D186F5D4CD2EA57A61CBF406813874

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:Wv2bQ2oZY/Edlor7WitgvWVfS371D2SCFuQ1S:WvsBkDdu71aGf+J6ub

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9454

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file mozilla firefox.exe has been seen being distributed by the following URL.

Remove mozilla firefox.exe - Powered by Reason Core Security