» download_file.exe
Overview
Analysis
File Details
Downloads (1)

download_file.exe

CoolMirage Ltd.

This is the setup program for CoolMirage, a potentially unwanted program (PUP) that display ads on the computer. The application download_file.exe by CoolMirage has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup installer will bundle multiple adware offers during download and setup (based on the user's geographical location) including toolbars, extensions and coupon utilities. The file has been seen being downloaded from smarterzdownloadercom4.maynemyltf.netdna-cdn.com.

File name:

download_file.exe

Publisher:

CoolMirage Ltd. (signed and verified)

MD5:

29b2d6172b0e12b7935284294fdc3333

SHA-1:

2b07ef44e16dea62e0894175a02f0b5fc9e309b2

SHA-256:

d789e387761ee8579b4eefec2cd3fbb6d9e0223075ca4e2f9bdd6b4b5e047773

Scanner detections:

8 / 68

Status:

Adware

Explanation:

Bundles a number of adware programs in the installer.

Analysis date:

4/20/2024 1:37:26 AM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Adware.Downware.1263

9.0.1.0276

Malwarebytes

PUP.Optional.OneClickDownloader.A

v2015.10.03.11

Microsoft Security Essentials

SoftwareBundler:Win32/OneClickDownloader

1.163.1557.3

Reason Heuristics

PUP.CoolMirage.Installer (M)

15.10.3.11

Sophos

CoolMirage

4.94

SUPERAntiSpyware

PUP.OneClickDownloader/Variant

9592

Trend Micro House Call

TROJ_GEN.F47V0929

7.2.276

VIPRE Antivirus

News.net

22872

File size:

297.7 KB (304,816 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\downloads\download_file.exe

Digital Signature

Signed by:

CoolMirage Ltd.

Authority:

Thawte, Inc.

Valid from:

6/6/2013 3:00:00 AM

Valid to:

6/7/2014 2:59:59 AM

Subject:

CN=CoolMirage Ltd., O=CoolMirage Ltd., L=Tel Aviv, S=Israel, C=IL

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

110F603E63C86349A5F243EA06966F33

File PE Metadata

Compilation timestamp:

12/6/2009 12:50:46 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

6144:1sH7cbdMiTptkCLVW6kKTcUcDTlTykH4O00lCWXlaOm:IadMiVaK06gT/4h0lPVa1

Entry address:

0x323C

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

23 KB (23,552 bytes)

The file download_file.exe has been seen being distributed by the following URL.

http://smarterzdownloadercom4.maynemyltf.netdna-cdn.com/builds/http/.../download_file.exe

Remove download_file.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.