home

firefox.exe

The application firefox.exe has been detected as a potentially unwanted program by 16 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from downloader.ez-download.com and multiple other hosts.
MD5:
015ac5007432afb0a8fd43f0295c81fc

SHA-1:
84653c93869d1bca8b328040668b8ebcfb80933f

SHA-256:
534906a24bde38be5cc0721ab35ce23ade9141e1dd0a33911b0c22ba6b22151c

Scanner detections:
16 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
4/18/2024 12:26:56 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OutBrowse
7.1.1

AhnLab V3 Security
PUP/Win32.OutBrowse
2015.03.13

Avira AntiVirus
PUA/Outbrowse.Gen
7.11.216.120

avast!
Win32:Evo-gen [Susp]
2014.9-151126

Baidu Antivirus
PUA.Win32.OutBrowse
4.0.3.151126

Comodo Security
ApplicUnwnt
21384

Dr.Web
Adware.Downware.2081
9.0.1.0330

ESET NOD32
Win32/OutBrowse.J potentially unwanted
9.11310

Fortinet FortiGate
Riskware/OutBrowse
11/26/2015

F-Prot
W32/Outbrowse.B.gen
v6.4.7.1.166

G Data
Win32.Application.OutBrowse
15.11.25

McAfee
Artemis!015AC5007432
5600.6570

NANO AntiVirus
Trojan.Win32.Generic.cthmwf
0.30.0.296

Trend Micro House Call
TROJ_GEN.R08OC0OBF15
7.2.330

Trend Micro
TROJ_GEN.R08OC0OBF15
10.465.26

VIPRE Antivirus
Trojan.Win32.Generic
38360

File size:
101.8 KB (104,292 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\firefox.exe

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:UgXdZt9P6D3XJzCS5Ky/9XO3jR0eWSzUu/0WB:Ue34USUQ9OzRgW/ci

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.6685

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file firefox.exe has been seen being distributed by the following 2 URLs.

http://downloader.ez-download.com/download.php?id=23a0a912fd4ad218814beb3f5bd715001d751573&z=8&p=eyJweSI6ImV6IiwicnMiOiJnb29nbGUiLCJydCI6InNlYXJjaCIsImMiOiJ1cyIsIm8iOiJ3aW43IiwiYiI6ImNoMjgiLCJ1X2lkIjoiZXpfNTJlZWFkYTZhOTA2YjcuODUxMjY0NDMiLCJwYV9pZCI6IjgiLCJzdF9pZCI6IjAiLCJzcF9pZCI6IjAwMDAtMDAwMCIsInRzIjoxMzkxMzczNzM0LCJrdyI6Im1vemlsbGFmaXJlZm94IiwiY3UiOiJtb3ppbGxhZmlyZWZveCIsImNhIjpudWxsfQ==

http://downloader.ez-download.com/download.php?id=23a0a912fd4ad218814beb3f5bd715001d751573&z=8&p=eyJweSI6ImV6IiwicnMiOiJnb29nbGUiLCJydCI6InNlYXJjaCIsImMiOiJ1cyIsIm8iOiJ3aW43IiwiYiI6ImNoMzIiLCJ1X2lkIjoiZXpfNTJlOWNjNzk4YTMyMjcuNzQwMTI5ODAiLCJwYV9pZCI6IjgiLCJzdF9pZCI6IjAiLCJzcF9pZCI6IjAwMDAtMDAwMCIsInRzIjoxMzkxMDUzOTQ1LCJrdyI6ImRvd25sb2FkIGZpcmVmb3giLCJjdSI6ImRvd25sb2FkIGZpcmVmb3giLCJjYSI6bnVsbH0=

Remove firefox.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.