home

winzip.exe

Firseria

The setup program uses the Firseria/Solimba AppInstaller (DownloadMR) which is a monetization download manager that bundles additional adware offers, typically by wrapping legitimate applications. The application winzip.exe, “ Application Install ” by Firseria has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Solimba DownloadMR installer. The file has been seen being downloaded from nl.download366.com.
Publisher:
Setup·process  (signed by Firseria)

Description:
Application Install

Version:
3.0.30.11

MD5:
0404af5a6fc6b9382ab2afc0925ea882

SHA-1:
c31a2aede73b38dda5b6c9c7bbc5c8397d6dfe64

SHA-256:
0b6ad576d60c22e99fab23e63471873248b504646acca216810898258f52c776

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/25/2024 7:15:25 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Installer.Firseria.G
14.8.7.17

File size:
286.7 KB (293,608 bytes)

Product version:
3.0.30

Copyright:
Copyright © 2013·14

Original file name:
setupinstaller.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Solimba DownloadMR

Common path:
C:\users\{user}\downloads\winzip.exe

Digital Signature
Signed by:
Firseria

Authority:
GlobalSign nv-sa

Valid from:
11/11/2013 4:34:44 PM

Valid to:
11/12/2014 4:34:44 PM

Subject:
E=support@solimba.com, CN=Firseria, O=Firseria, L=Badalona, S=Barcelona, C=ES

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112130C3B28D7C9C29B8B07321EF3F8A1462

File PE Metadata
Compilation timestamp:
2/25/2014 6:02:37 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:ZmRZ2W5Ij46YOG0G+EQ2eiAIQibh8HOlxHUbx1LqrG9:Z6H67bG0lEQ2kioOlNUv2rG9

Entry address:
0xD7B9

Entry point:
E8, C8, 79, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 60, 44, 42, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 64, 44, 42, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, BA, 58, 00, 00, 85, C0, 75, 06, B8, C8, 45, 42, 00, C3, 83, C0, 08, C3, E8, A7, 58, 00, 00, 85, C0, 75, 06, B8, CC, 45, 42, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08...
 
[+]

Code size:
111.5 KB (114,176 bytes)

The file winzip.exe has been seen being distributed by the following URL.

http://nl.download366.com/winzip/download/.../791

Remove winzip.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.