home

ffu26.exe

Extended Setup

The file is a bundle distribution and utilizes the installCore download manager to distribute this potentially unwanted software. The application ffu26.exe by Extended Setup has been detected as adware by 16 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.freewarefiles.com.
Publisher:
Extended Setup  (signed and verified)

MD5:
9de113fa656b7097d427bf7c13567c7e

SHA-1:
54f0af0c7c3caaeafdeb87ca991594d029257477

SHA-256:
7ae389a8ff8151b46e0748f4a0ffa829da3f9997e46ccc47296b78466cd46a76

Scanner detections:
16 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/19/2024 10:48:35 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.DownloadManager
2015.04.14

AVG
InstallC
2016.0.3139

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
Application.Win32.Installcore.CJ
21194

Dr.Web
Trojan.Packed.24524
9.0.1.0104

ESET NOD32
Win32/InstallCore.BY potentially unwanted application
9.7.0.302.0

F-Prot
W32/A-dbe1ec51
v6.4.7.1.166

herdProtect (fuzzy)
variant of audacity-win-2.exe (Adware)
2015.7.16.2

K7 AntiVirus
Unwanted-Program
13.198.15062

Malwarebytes
PUP.Optional.InstallCore.A
v2015.04.14.01

Reason Heuristics
PUP.Bundler.ironSource
15.4.14.9

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.15412

Sophos
PUA 'Install Core Click run software'
5.10

SUPERAntiSpyware
PUP.InstallCore/Variant
9936

Vba32 AntiVirus
Downware.InstallCore
3.12.26.3

VIPRE Antivirus
Threat.5063361
37588

File size:
613.1 KB (627,848 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\downloads\ffu26.exe

Digital Signature
Signed by:
Extended Setup

Authority:
COMODO CA Limited

Valid from:
10/21/2013 8:00:00 PM

Valid to:
10/22/2014 7:59:59 PM

Subject:
CN=Extended Setup, O=Extended Setup, STREET=Lilienblum 28, L=Tel Aviv, S=Israel, PostalCode=6513307, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DC2A1D7B17450E779685BAA191188498

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:VmyMJfsG10MQm0LcN5e6frzqcsxUAcyT6g2iFbpeO/hi90nVFRu:VmyMJfsk0MQhQN5rrzqNUFql2iJpf5iy

Entry address:
0x98CC

Entry point:
55, 8B, EC, 83, C4, CC, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, FA, 97, FF, FF, E8, 01, AA, FF, FF, E8, 2C, CC, FF, FF, E8, 73, CC, FF, FF, E8, 0A, F3, FF, FF, E8, 71, F4, FF, FF, 33, C0, 55, 68, 76, 9F, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 2C, 9F, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, B0, 40, 00, E8, 9B, FE, FF, FF, E8, 26, FA, FF, FF, 8D, 55, F0, 33, C0, E8, E0, D0, FF, FF, 8B, 55, F0, B8, D8, BD, 40, 00, E8, AB, 98, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, D8, BD, 40, 00, B2, 01, B8...
 
[+]

Entropy:
7.8213

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
36 KB (36,864 bytes)

The file ffu26.exe has been seen being distributed by the following URL.

http://www.freewarefiles.com/.../download.php?programid=19675

Remove ffu26.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.