home

firstrow_download.exe

Kantida Chanudrum

The application firstrow_download.exe by Kantida Chanudrum has been detected as adware by 16 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup installer will bundle multiple adware offers during download and setup (based on the user's geographical location) including toolbars, extensions and coupon utilities. The file has been seen being downloaded from www.freehdsportsappdl.com.
Publisher:
Kantida Chanudrum  (signed and verified)

MD5:
7c7ad69a8c7317eb96c1bfeb559ba6a0

SHA-1:
6dcca75bf78d471cf8ec56191d3a3426879d77a5

SHA-256:
be6c8772d0e3ee42119ae9b6c96181c23dbe31a467aac5223cb4a3e79453a15f

Scanner detections:
16 / 68

Status:
Adware

Explanation:
Bundles a number of adware programs in the installer.

Analysis date:
4/20/2024 12:44:49 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/CoolMirage.Gen
7.11.175.18

avast!
NSIS:Oneclick-AK [PUP]
2014.9-150420

AVG
MultiBundle
2016.0.3133

Comodo Security
Application.Win32.CoolMirage.AS
19647

Dr.Web
Adware.Downware.5516
9.0.1.0110

ESET NOD32
Win32/AdWare.1ClickDownload.AT
9.10478

G Data
NSIS.Adware.OneClickDownloader
15.4.24

Malwarebytes
PUP.Optional.OneClickDownloader.A
v2015.04.20.02

McAfee
Artemis!7C7AD69A8C73
5600.6789

NANO AntiVirus
Trojan.Nsis.Yotoon.deckrr
0.28.2.62286

Qihoo 360 Security
HEUR/Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
Threat.Installer.KantidaChanudrum
15.4.20.10

Rising Antivirus
PE:Trojan.Win32.Generic.1700010E!385876238
23.00.65.15418

Sophos
Install Core
4.98

Trend Micro House Call
Suspicious_GEN.F47V0705
7.2.110

VIPRE Antivirus
Trojan.Win32.Generic
33508

File size:
447.1 KB (457,784 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\firstrow_download.exe

Digital Signature
Signed by:
Kantida Chanudrum

Authority:
Thawte, Inc.

Valid from:
4/14/2014 8:00:00 PM

Valid to:
4/15/2015 7:59:59 PM

Subject:
CN=Kantida Chanudrum, OU=Individual Developer, O=No Organization Affiliation, L=Phuket, S=Phuket, C=TH

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
12C00C2179570252969AF80D723272A8

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:HsA7sCRqjMS9XlrIyrlRpO9G4xAXIEdHFrVM4hrjtFgqKDTnOn7i84:BsWkMZyrFWiIIri6oqKDbO7iR

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9086

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file firstrow_download.exe has been seen being distributed by the following URL.

https://www.freehdsportsappdl.com/.../firstrow_download.exe

Remove firstrow_download.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.