home

download_file.exe

CoolMirage Ltd.

This is the setup program for CoolMirage, a potentially unwanted program (PUP) that display ads on the computer. The application download_file.exe by CoolMirage has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup installer will bundle multiple adware offers during download and setup (based on the user's geographical location) including toolbars, extensions and coupon utilities. The file has been seen being downloaded from s1-pt-download.maynemyltf.netdna-cdn.com.
Publisher:
CoolMirage Ltd.  (signed and verified)

MD5:
73ca53e0a441d143e2e109128e9241d0

SHA-1:
cb0d87821283b1aa64942a1044d7c292ab7617b0

SHA-256:
3b4695a51327bd3334b0745f1e6cdf7ae1de939348d89ed68a90b6ba41065912

Scanner detections:
8 / 68

Status:
Adware

Explanation:
Bundles a number of adware programs in the installer.

Analysis date:
4/20/2024 12:54:45 AM UTC  (today)

Scan engine
Detection
Engine version

Comodo Security
Application.Win32.MCool.F
17116

Dr.Web
Adware.Downware.1263
9.0.1.0358

Malwarebytes
PUP.Optional.OneClickDownloader.A
v2013.12.24.02

Reason Heuristics
PUP.CoolMirage.N
14.8.7.17

Sophos
CoolMirage
4.93

SUPERAntiSpyware
PUP.OneClickDownloader/Variant
10888

Trend Micro House Call
TROJ_GEN.F47V0911
7.2.358

VIPRE Antivirus
News.net
22438

File size:
313.1 KB (320,584 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\download_file.exe

Digital Signature
Signed by:
CoolMirage Ltd.

Authority:
Thawte, Inc.

Valid from:
6/6/2013 1:00:00 AM

Valid to:
6/7/2014 12:59:59 AM

Subject:
CN=CoolMirage Ltd., O=CoolMirage Ltd., L=Tel Aviv, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
110F603E63C86349A5F243EA06966F33

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:QsH7cTIzGDuTccBI0k0492pHLzYy6lXEeCy8+Y5fUFhKdXha:DyIa6zXk0uKHLEy6VY5sp

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file download_file.exe has been seen being distributed by the following URL.

http://s1-pt-download.maynemyltf.netdna-cdn.com/build/.../download_file.exe

Remove download_file.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.