home

file_download.exe

CoolMirage Ltd.

This is the setup program for CoolMirage, a potentially unwanted program (PUP) that display ads on the computer. The application file_download.exe by CoolMirage has been detected as adware by 10 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup installer will bundle multiple adware offers during download and setup (based on the user's geographical location) including toolbars, extensions and coupon utilities. The file has been seen being downloaded from www.ftdownloader.com and multiple other hosts.
Publisher:
CoolMirage Ltd.  (signed and verified)

MD5:
d22aeb9eb4c82c02071cf9916440b157

SHA-1:
3aed9cf7e9ceadf4ccf9cc6e125883d42b6ae782

SHA-256:
21576f0528cfe3f2c9c86cbeef79f3e7652a51c9b5ddb76cc65d35040642cf83

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Bundles a number of adware programs in the installer.

Analysis date:
4/25/2024 8:34:54 PM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.Clodbd7.Trojan
1.3.0.4562

Comodo Security
Application.Win32.MCool.D
17313

Dr.Web
Adware.Downware.1263
9.0.1.0170

ESET NOD32
Win32/AdWare.1ClickDownload.AP
8.9080

Malwarebytes
PUP.Optional.OneClickDownloader.A
v2014.06.19.04

McAfee
Artemis!D22AEB9EB4C8
5600.7094

Reason Heuristics
PUP.CoolMirage.N
14.8.7.17

Sophos
CoolMirage
4.95

Trend Micro House Call
TROJ_GEN.F47V1010
7.2.170

VIPRE Antivirus
CoolMirage Ltd
23600

File size:
295.8 KB (302,912 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\file_download.exe

Digital Signature
Signed by:
CoolMirage Ltd.

Authority:
Thawte, Inc.

Valid from:
6/6/2013 8:00:00 AM

Valid to:
6/7/2014 7:59:59 AM

Subject:
CN=CoolMirage Ltd., O=CoolMirage Ltd., L=Tel Aviv, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
110F603E63C86349A5F243EA06966F33

File PE Metadata
Compilation timestamp:
12/6/2009 6:50:46 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:QsH7ONffPgeD9ydnL/BOiMIIYnh0Pj+sVT8JB:DONrD4CiMIIYnhCj+smJB

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.8286

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file file_download.exe has been seen being distributed by the following 2 URLs.

http://www.ftdownloader.com/.../The_Vampire_Diaries_S04E10_HDTV_XviD-AFG_arc.exe

http://www.ftdownloader.com/.../File_Download.exe

Remove file_download.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.