» icreinstall_mozilla-firefox-160-baixaki-32-bits.exe
Overview
Analysis
File Details
Downloads (1)
Network (2)

icreinstall_mozilla-firefox-160-baixaki-32-bits.exe

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_mozilla-firefox-160-baixaki-32-bits.exe has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the installCore installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The installer is marketed through download protals and search ads as the free Mozilla Firefox web browser but will also install additional software offers which include adware, PUPs and browser toolbars.

File name:

MD5:

ed589c83d94064a1034bd1c0755f4bc8

SHA-1:

51b83dae3274ed53963f7f842b6a0b9ed4d1d041

SHA-256:

111a98629f3eb46431af0ee57baaf279e1b416b2123f7d0c78ff6ce56bfdaadf

Scanner detections:

26 / 68

Status:

Adware

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/24/2024 9:39:13 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.Generic.370155

931

Agnitum Outpost

PUA.InstallCore

7.1.1

Avira AntiVirus

Adware/InstallBai.A

7.11.154.68

Baidu Antivirus

Adware.Win32.InstallCore

4.0.3.14718

Bitdefender

Adware.Generic.370155

1.0.20.995

Bkav FE

W32.Clodd43.Trojan

1.3.0.4959

Clam AntiVirus

Win.Adware.370155

0.98/21155

Comodo Security

ApplicUnwnt

18505

Dr.Web

Adware.InstallCore.43

9.0.1.0199

Emsisoft Anti-Malware

Adware.Generic.370155

8.14.07.18.08

ESET NOD32

Win32/InstallCore.AY (variant)

8.9925

Fortinet FortiGate

Riskware/InstallCore

7/18/2014

F-Prot

W32/InstallCore.V2.gen

v6.4.7.1.166

F-Secure

Adware.Generic.370155

11.2014-18-07_6

G Data

Adware.Generic.370155

14.7.24

IKARUS anti.virus

AdWare.SuspectCRC

t3scan.1.6.1.0

K7 AntiVirus

Unwanted-Program

13.1712358

McAfee

Artemis!ED589C83D940

5600.7065

MicroWorld eScan

Adware.Generic.370155

15.0.0.597

NANO AntiVirus

Trojan.Win32.InstallCore.cofivl

0.28.0.60253

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.14716

Sophos

Generic PUA FB

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-Artemis

10475

Trend Micro House Call

TROJ_GEN.R0CBB01EL14

7.2.199

Vba32 AntiVirus

BScope.Malware-Cryptor.InstallCore.2691

3.12.26.0

VIPRE Antivirus

InstallCore

30174

File size:

1.1 MB (1,101,688 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore

Common path:

C:\users\{user}\appdata\local\temp\icreinstall_mozilla-firefox-160-baixaki-32-bits.exe

File PE Metadata

Compilation timestamp:

6/19/1992 7:22:17 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:WuiW8LUoaP80hQkAN42diMxOv8cgstU1dqqXy3F:WuiJLonekA8A+gstUfq6

Entry address:

0xCACC0

Entry point:

55, 8B, EC, 83, C4, F0, B8, 5C, DA, 40, 00, E8, 95, F7, FF, FF, 80, 11, 48, 00, 8B, C0, FF, 25, EC, 11, 48, 00, 8B, C0, FF, 25, 7C, 11, 48, 00, 8B, C0, FF, 25, 78, 11, 48, 00, 8B, C0, FF, 25, 74, 11, 48, 00, 8B, C0, FF, 25, 04, 12, 48, 00, 8B, C0, FF, 25, 00, 12, 48, 00, 8B, C0, FF, 25, FC, 11, 48, 00, 8B, C0, FF, 25, 70, 11, 48, 00, 8B, C0, FF, 25, 6C, 11, 48, 00, 8B, C0, FF, 25, 14, 12, 48, 00, 8B, C0, FF, 25, 10, 12, 48, 00, 8B, C0, FF, 25, 0C, 12, 48, 00, 8B, C0, FF, 25, 68, 11, 48, 00, 8B, C0, FF, 25... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

828 KB (847,872 bytes)

The file icreinstall_mozilla-firefox-160-baixaki-32-bits.exe has been seen being distributed by the following URL.

http://dl.baixaki.com.br/programas/.../mozilla-firefox-160-baixaki-32-bits.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to os.solvefile.com (207.189.109.121:80)

TCP (HTTP):

Connects to cdnus.solvefile.com (207.189.109.121:80)

Remove icreinstall_mozilla-firefox-160-baixaki-32-bits.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.