home

firefoxsetup.exe

Web program

Top Balance (New Media Holdings Ltd.)

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application firefoxsetup.exe, “Web program Setup ” by Top Balance (New Media Holdings) has been detected as adware by 10 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The installer is marketed through download protals and search ads as the free Mozilla Firefox web browser but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
Generic   (signed by Top Balance (New Media Holdings Ltd.))

Product:
Web program

Description:
Web program Setup

Version:
2.4.2.1

MD5:
51e3402f920d7fc49428e9461ec8b0a1

SHA-1:
bc7f379a06fb519ad49bcd86da66345da1799cae

SHA-256:
78bd2479418e95b688de2ccd7890f47ef281239a70b13b2e99a08759c898945f

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/25/2024 7:55:28 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Malware-gen
150531-1

AVG
Generic
2016.0.3091

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Trojan.InstallCore.152
9.0.1.05190

ESET NOD32
Win32/InstallCore.ZM potentially unwanted application
7.0.302.0

K7 AntiVirus
Adware
13.204.16105

Malwarebytes
PUP.Optional.InstallCore.A
v2015.06.02.08

NANO AntiVirus
Riskware.Win32.InstallCore.dsgvyn
0.30.24.1636

Reason Heuristics
PUP.Installer.NewMedia.Installer
15.6.2.7

VIPRE Antivirus
Threat.4786018
40552

File size:
693.5 KB (710,168 bytes)

Product version:
4.6

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\firefoxsetup.exe

Digital Signature
Signed by:
Top Balance (New Media Holdings Ltd.)

Authority:
GlobalSign nv-sa

Valid from:
2/11/2015 5:54:46 PM

Valid to:
2/12/2016 5:54:46 PM

Subject:
CN=Top Balance (New Media Holdings Ltd.), O=Top Balance (New Media Holdings Ltd.), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112195E753935A102CF246567B961877F414

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:VrjGGg6VBMdDMydi8XgO2owO4oLO/RW9hR/hBXBlV5QfNnfjyN5zLzSkq:Vrj3gSqMAuOwO4oiMhR7RlIfNfjM/zSf

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ftp1-zlb.vips.scl3.mozilla.com  (63.245.215.46:80)

TCP (HTTP):
Connects to ec2-54-246-170-74.eu-west-1.compute.amazonaws.com  (54.246.170.74:80)

TCP (HTTP):
Connects to ec2-54-243-153-163.compute-1.amazonaws.com  (54.243.153.163:80)

TCP (HTTP):
Connects to ec2-54-186-117-168.us-west-2.compute.amazonaws.com  (54.186.117.168:80)

TCP (HTTP):
Connects to ec2-23-21-63-169.compute-1.amazonaws.com  (23.21.63.169:80)

TCP (HTTP):
Connects to ec2-107-20-182-77.compute-1.amazonaws.com  (107.20.182.77:80)

Remove firefoxsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.