» twillight__breaking_dawn.exe
Overview
Analysis
File Details
Downloads (1)

twillight__breaking_dawn.exe

Cool Mirage ltd.

This is the setup program for CoolMirage, a potentially unwanted program (PUP) that display ads on the computer. The application twillight__breaking_dawn.exe by Cool Mirage ltd has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup installer will bundle multiple adware offers during download and setup (based on the user's geographical location) including toolbars, extensions and coupon utilities. The file has been seen being downloaded from www.m2kdownloader.com.

File name:

Publisher:

Cool Mirage ltd. (signed and verified)

MD5:

1f0e31308cadccdf38534c5ce7eebcfb

SHA-1:

07fa7c6e5cf981023a6ef04dc66176c2b2adca4d

SHA-256:

ab21339945e0487de24762934c4eb1e3478b1e0fb8908bd13878c58aa0640b7a

Scanner detections:

13 / 68

Status:

Adware

Explanation:

Bundles a number of adware programs in the installer.

Analysis date:

4/25/2024 4:08:16 PM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

Win-PUP/CrossRider

2015.03.21

Avira AntiVirus

APPL/CoolMirage.Gen6

7.11.218.226

avast!

Downloader-TPG [PUP]

150320-0

Comodo Security

Application.Win32.MCool.A

21479

Dr.Web

Adware.Downware.794

9.0.1.05190

ESET NOD32

Win32/Adware.1ClickDownload.AY application

7.0.302.0

G Data

NSIS.Adware.OneClickDownloader

15.3.25

K7 AntiVirus

Adware

13.202.15333

McAfee

Program.Adware-SweetIM

16.8.708.2

NANO AntiVirus

Trojan.Script.Downware.cujzax

0.30.8.659

Reason Heuristics

PUP.Installer.CoolMirage

15.3.20.17

Sophos

FT Downloader

4.98

VIPRE Antivirus

Threat.4784938

38552

File size:

241.1 KB (246,896 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\downloads\twillight__breaking_dawn.exe

Digital Signature

Signed by:

Cool Mirage ltd.

Authority:

COMODO CA Limited

Valid from:

11/14/2012 1:00:00 AM

Valid to:

11/15/2014 12:59:59 AM

Subject:

CN=Cool Mirage ltd., O=Cool Mirage ltd., STREET=ogarit 39, L=tel aviv, S=tel aviv, PostalCode=69016, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00FC28659CC8073606EF4D09A1994B1AD0

File PE Metadata

Compilation timestamp:

12/5/2009 11:50:46 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

6144:Bs6WaGN6shi06bTOuk2rx4FgkiyjHXeudJ:jWawdKKuk2rx4WkXj3tJ

Entry address:

0x323C

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

23 KB (23,552 bytes)

The file twillight__breaking_dawn.exe has been seen being distributed by the following URL.

http://www.m2kdownloader.com/.../product_download.php?file=%file%&name=twillight breaking dawn&pub=m2k23c&sp=1

Remove twillight__breaking_dawn.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.