home

mozilla_firefox.exe

WEBCELLENCE LTD

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application mozilla_firefox.exe by WEBCELLENCE has been detected as adware by 14 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. With this installer, users are expecting to download the free Mozilla Firefox web browser but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
WEBCELLENCE LTD  (signed and verified)

MD5:
b29d691ab6dd722a5982bc3ec8020087

SHA-1:
99f7a4f0062315db03c85ea9635284d80728c35d

SHA-256:
6d8db949cad8b0f0c9dbba28f40e19b91c022405f4a2e02ab0765a73f185945a

Scanner detections:
14 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/25/2024 8:10:32 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.InstallCore
7.1.1

Avira AntiVirus
ADWARE/InstallCore.Gen9
7.11.188.58

AVG
Generic
2015.0.3281

Baidu Antivirus
Adware.Win32.InstallCore
4.0.3.141124

Comodo Security
ApplicUnwnt
20164

Dr.Web
Trojan.MulDrop5.38104
9.0.1.0328

ESET NOD32
Win32/InstallCore.QB (variant)
8.10766

Fortinet FortiGate
Riskware/InstallCore
11/24/2014

McAfee
Artemis!B29D691AB6DD
5600.6937

Reason Heuristics
PUP.installCore.WEBCELLENCE
15.5.3.0

Sophos
Install Core Click run software
4.98

Trend Micro House Call
Suspicious_GEN.F47V1009
7.2.328

Vba32 AntiVirus
Malware-Cryptor.InstallCore.gen
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic
35030

File size:
762.6 KB (780,896 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\mozilla_firefox.exe

Digital Signature
Signed by:
WEBCELLENCE LTD

Authority:
Thawte, Inc.

Valid from:
8/17/2014 5:00:00 PM

Valid to:
8/18/2015 4:59:59 PM

Subject:
CN=WEBCELLENCE LTD, OU=IT, O=WEBCELLENCE LTD, L=Ora, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
61DF315E410D6AA0BFE57E4C149BE78E

File PE Metadata
Compilation timestamp:
6/19/1992 3:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:5ivp//iIHZPg8Dok8hBcGQfbQ739A+giaf+Jra330CNUTdH0W2dV7dOyruqKD:5ivtiIHJ9cubE73+tia2JO0CZdVpFra

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.8240

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file mozilla_firefox.exe has been seen being distributed by the following URL.

http://safe.download.downloadastro.com/?ic_user_id=646

Remove mozilla_firefox.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.