firefox.exe

File Path: C:\program files\Mozilla Firefox\firefox.exe
Description: Firefox

Hashes

Type	Hash
MD5	`01DF6E9C1724C892E47B2D19AC5136E0`
SHA1	`453560B22111AE96A4D1ABE80BFC68AFC43AF112`
SHA256	`2B2F9BC8882EF0F819C86BB14A69D894F7D59E033BC24F2053E991D92425D175`
SHA384	`CDB2DA0AF0F25C11E539F0183DFF9F5E9581911F2CE02D651A671F745F18BF63732CFB346A5D26CE2EF28167773A7650`
SHA512	`56BEFCE11DCEDF5D3CFF4C707776EE15E97C75E78E312AB1A0D6A480C51D00F3289715B5FA0037E94994C8C9979BFEE8FE6E0AF0CB6FFA0B1D6386197EBA24F4`
SSDEEP	`12288:lxVi8hfX3hmV86iEdYQUqxjNzwHJem7OzwHJeSm:lriuX3dYdBUqxjBwpemIwpeD`

Runtime Data

Usage (stdout):

Usage: C:\program files\Mozilla Firefox\firefox.exe [ options ... ] [URL]
       where options include:

  -h or --help       Print this message.
  -v or --version    Print Firefox version.
  --full-version     Print Firefox version, build and platform build ids.
  -P <profile>       Start with <profile>.
  --profile <path>   Start with profile at <path>.
  --migration        Start with migration wizard.
  --ProfileManager   Start with ProfileManager.
  --no-remote        Do not accept or send remote commands; implies
                     --new-instance.
  --new-instance     Open new instance, not a new window in running instance.
  --UILocale <locale> Start with <locale> resources as UI Locale.
  --safe-mode        Disables extensions and themes for this session.
  --allow-downgrade  Allows downgrading a profile.
  --MOZ_LOG=<modules> Treated as MOZ_LOG=<modules> environment variable,
                     overrides it.
  --MOZ_LOG_FILE=<file> Treated as MOZ_LOG_FILE=<file> environment variable,
                     overrides it. If MOZ_LOG_FILE is not specified as an
                     argument or as an environment variable, logging will be
                     written to stdout.
  --console          Start Firefox with a debugging console.
  --headless         Run without a GUI.
  --ssb <uri>        Open a site specific browser for <uri>.
  --browser          Open a browser window.
  --new-window <url> Open <url> in a new window.
  --new-tab <url>    Open <url> in a new tab.
  --private-window <url> Open <url> in a new private window.
  --preferences      Open Options dialog.
  --screenshot [<path>] Save screenshot to <path> or in working directory.
  --window-size width[,height] Width and optionally height of screenshot.
  --search <term>    Search <term> with your default search engine.
  --setDefaultBrowser Set this app as the default browser.
  --first-startup    Run post-install actions before opening a new window.
  --kiosk Start the browser in kiosk mode.
  --jsconsole        Open the Browser Console.
  --jsdebugger [<path>] Open the Browser Toolbox. Defaults to the local build
                     but can be overridden by a firefox path.
  --wait-for-jsdebugger Spin event loop until JS debugger connects.
                     Enables debugging (some) application startup code paths.
                     Only has an effect when `--jsdebugger` is also supplied.
  --devtools         Open DevTools on initial load.
  --start-debugger-server [ws:][ <port> | <path> ] Start the devtools server on
                     a TCP port or Unix domain socket path. Defaults to TCP port
                     6000. Use WebSocket protocol if ws: prefix is specified.
  --recording <file> Record drawing for a given URL.
  --recording-output <file> Specify destination file for a drawing recording.

Child Processes:

firefox.exe

Loaded Modules:

Path
C:\program files\Mozilla Firefox\firefox.exe
C:\program files\Mozilla Firefox\mozglue.dll
C:\program files\Mozilla Firefox\MSVCP140.dll
C:\program files\Mozilla Firefox\VCRUNTIME140.dll
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\SYSTEM32\CRYPTBASE.DLL
C:\Windows\SYSTEM32\dbghelp.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\MSASN1.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\SYSTEM32\VERSION.dll
C:\Windows\System32\WINTRUST.dll

Signature

Status: Signature verified.
Serial: 0DDEB53F957337FBEAF98C4A615B149D
Thumbprint: 91CABEA509662626E34326687348CAF2DD3B4BBA
Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: E=”release+certificates@mozilla.com”, CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US

File Metadata

Original Filename: firefox.exe
Product Name: Firefox
Company Name: Mozilla Corporation
File Version: 80.0
Product Version: 80.0
Language: Language Neutral
Legal Copyright: Firefox and Mozilla Developers; available under the MPL 2 license.

File Similarity (ssdeep match)

File	Score
C:\Program Files\Mozilla Firefox\firefox.exe	50
C:\Program Files\Mozilla Firefox\firefox.exe	50
C:\Program Files\Mozilla Firefox\firefox.exe	50

Possible Misuse

The following table contains possible examples of firefox.exe being misused. While firefox.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proxy_ua_apt.yml	`- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi`	DRL 1.0
sigma	proxy_ua_apt.yml	`- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel`	DRL 1.0
sigma	proxy_ua_apt.yml	`- 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel`	DRL 1.0
sigma	proxy_ua_apt.yml	`- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel`	DRL 1.0
sigma	proxy_ua_apt.yml	`- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware`	DRL 1.0
sigma	proxy_ua_apt.yml	`- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related`	DRL 1.0
sigma	proxy_ua_apt.yml	`- 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/`	DRL 1.0
sigma	proxy_ua_apt.yml	`- 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/`	DRL 1.0
sigma	proxy_ua_apt.yml	`- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/`	DRL 1.0
sigma	proxy_ua_frameworks.yml	`- 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'`	DRL 1.0
sigma	proxy_ua_frameworks.yml	`- 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0'`	DRL 1.0
sigma	proxy_ua_hacktool.yml	`- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper`	DRL 1.0
sigma	proxy_ua_malware.yml	`- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality`	DRL 1.0
sigma	proxy_ua_malware.yml	`- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality`	DRL 1.0
sigma	proxy_ua_suspicious.yml	`- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html`	DRL 1.0
sigma	win_suspicious_outbound_kerberos_connection.yml	`- '\firefox.exe'`	DRL 1.0
sigma	dns_query_win_susp_ipify.yml	`- \firefox.exe`	DRL 1.0
sigma	file_event_win_mal_vhd_download.yml	`- firefox.exe`	DRL 1.0
sigma	net_connection_win_suspicious_outbound_kerberos_connection.yml	`- '\firefox.exe'`	DRL 1.0
sigma	posh_ps_access_to_browser_login_data.yml	`- '\Mozilla\Firefox\Profiles'`	DRL 1.0
sigma	proc_creation_win_susp_powershell_parent_process.yml	`- '\firefox.exe'`	DRL 1.0
sigma	proc_creation_win_tor_browser.yml	`- '\Tor Browser\Browser\firefox.exe'`	DRL 1.0
sigma	registry_event_dns_over_https_enabled.yml	`- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS`	DRL 1.0
sigma	registry_event_dns_over_https_enabled.yml	`TargetObject\\|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'`	DRL 1.0
sigma	registry_event_taskcache_entry.yml	`- '\TaskCache\Tree\Mozilla\Firefox Default Browser Agent '`	DRL 1.0
sigma	registry_event_taskcache_entry.yml	`- '\TaskCache\Tree\Mozilla\Firefox Background Update '`	DRL 1.0
sigma	sysmon_process_hollowing.yml	`- '\firefox.exe'`	DRL 1.0
malware-ioc	keydnap	`\\|` 773a82343367b3d09965f6f09cc9887e7f8f01bf `\\| screenshot.jpg \\| 2016-05-07 \\| hxxp://dev.aneros.com/media/icloudsyncd \\| Firefox 20 about screenshot`	© ESET 2014-2018
malware-ioc	misp-kryptocibule.json	`"value": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0",`	© ESET 2014-2018
malware-ioc	kryptocibule	`-` Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0``{:.highlight .language-cmhg}	© ESET 2014-2018
malware-ioc	mispadu	`\\|` F6021380AD6E26038B5629189A7ADA5E0022C313 `\\| Mozilla Firefox credential stealer \\| Win32/PSWTool.PassFox.F`	© ESET 2014-2018
malware-ioc	mumblehard	`-` Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/<1 or more digits>.<1 or more digits>.<1 or more digits> Firefox/7.0.1``{:.highlight .language-cmhg}	© ESET 2014-2018
malware-ioc	mumblehard	`-` Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1``{:.highlight .language-cmhg}	© ESET 2014-2018
malware-ioc	oceanlotus	`\\|`a40ee8ff313e59aa92d48592c494a4c3d81449af`\\|Firefox Installer.exe \\|Win32/TrojanDropper.Agent.RUI`	© ESET 2014-2018
malware-ioc	2020_Q2	`=== Firefox addons`	© ESET 2014-2018
malware-ioc	rtm	`Firefox`	© ESET 2014-2018
malware-ioc	rtm	`firefox.exe`	© ESET 2014-2018
malware-ioc	misp-turla-crutch-event.json	`"value": "%PROGRAMFILES%\\(x86)\\Mozilla Firefox\\rasadhlp.dll",`	© ESET 2014-2018
malware-ioc	turla	`*` ++C:\Program Files (x86)\Mozilla Firefox\rasadhlp.dll++``{:.highlight .language-cmhg}	© ESET 2014-2018
atomic-red-team	index.md	- Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #3: Firefox [linux, windows, macos]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]	MIT License. © 2018 Red Canary
atomic-red-team	linux-index.md	- Atomic Test #3: Firefox [linux, windows, macos]	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]	MIT License. © 2018 Red Canary
atomic-red-team	macos-index.md	- Atomic Test #3: Firefox [linux, windows, macos]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: Firefox [linux, windows, macos]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1176.md	- Atomic Test #3 - Firefox	MIT License. © 2018 Red Canary
atomic-red-team	T1176.md	## Atomic Test #3 - Firefox	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	- Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	- Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	- Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	## Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	Searches for Mozilla Firefox’s places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file.	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	\| output_file \| Path where captured results will be placed. \| Path \| /tmp/T1217-Firefox.txt\|	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	find / -path “.mozilla/firefox//places.sqlite” 2>/dev/null -exec echo {} » #{output_file} \;	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	## Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	Searches for Mozilla Firefox’s places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file.	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	find / -path “/Firefox/Profiles//places.sqlite” -exec echo {} » #{output_file} \;	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	## Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database.	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	- Atomic Test #6 - Simulating access to Windows Firefox Login Data	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	## Atomic Test #6 - Simulating access to Windows Firefox Login Data	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	Simulates an adversary accessing encrypted credentials from firefox web browser’s login database.	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	Copy-Item “$env:APPDATA\Mozilla\Firefox\Profiles" -Destination $env:temp -Force -Recurse	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	##### Description: Firefox must be installed	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	if ((Test-Path “C:\Program Files\Mozilla Firefox\firefox.exe”) -Or (Test-Path “C:\Program Files (x86)\Mozilla Firefox\firefox.exe”)) {exit 0} else {exit 1}	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	if ($env:PROCESSOR_ARCHITECTURE -eq ‘AMD64’) {$url=”https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US”}else {$url=”https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US”}	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	##### Description: Firefox login data file must exist	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	if (Test-Path “$env:APPDATA\Mozilla\Firefox\Profiles") {exit 0} else {exit 1}	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	if ($env:PROCESSOR_ARCHITECTURE -eq ‘AMD64’) {$firefox=”C:\Program Files\Mozilla Firefox\firefox.exe”}else {$firefox=”C:\Program Files (x86)\Mozilla Firefox\firefox.exe”}	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	Start-Process $firefox -ArgumentList ‘-CreateProfile Atomic’ -Wait	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	Start-Process $firefox -NoNewWindow	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	Stop-Process -Name firefox	MIT License. © 2018 Red Canary
signature-base	apt_apt30_backspace.yar	$s4 = “(C)Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL” wide	CC BY-NC 4.0
signature-base	apt_apt37_bluelight.yar	$chrome9 = “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0”	CC BY-NC 4.0
signature-base	apt_bluetermite_emdivi.yar	$s2 = “\Mozilla\Firefox\Profiles\” fullword ascii	CC BY-NC 4.0
signature-base	apt_casper.yar	$s2 = “firefox.exe” fullword ascii	CC BY-NC 4.0
signature-base	apt_casper.yar	$x2 = “\Roaming\Mozilla\Firefox\Profiles\*” fullword ascii	CC BY-NC 4.0
signature-base	apt_casper.yar	$x3 = “\Mozilla\Firefox\Profiles\*” fullword ascii	CC BY-NC 4.0
signature-base	apt_danti_svcmondr.yar	$s3 = “%s\Mozilla\Firefox\profiles.ini” fullword ascii	CC BY-NC 4.0
signature-base	apt_dragonfly.yar	$s4 = “***** Mozilla Firefox ****” fullword wide	CC BY-NC 4.0
signature-base	apt_dtrack.yar	$s2 = “%s\%s\AppData\Roaming\Mozilla\Firefox\Profiles” fullword ascii	CC BY-NC 4.0
signature-base	apt_duqu2.yar	$x1 = “Mozilla/5.0 (Windows NT 6.1; U; ru; rv:5.0.1.6) Gecko/20110501 Firefox/5.0.1 Firefox/5.0.1” fullword wide	CC BY-NC 4.0
signature-base	apt_duqu2.yar	$x4 = “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2” fullword wide	CC BY-NC 4.0
signature-base	apt_eqgrp.yar	$x1 = “firefox http://127.0.0.1:8000/$_name” fullword ascii	CC BY-NC 4.0
signature-base	apt_freemilk.yar	$s1 = “SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command” fullword wide	CC BY-NC 4.0
signature-base	apt_golddragon.yar	$s6 = “Mozilla/5.0 (Windows NT 5.2; rv:12.0) Gecko/20100101 Firefox/12.0” fullword ascii	CC BY-NC 4.0
signature-base	apt_grizzlybear_uscert.yar	$STR3 = “User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0” ascii wide	CC BY-NC 4.0
signature-base	apt_rokrat.yar	$s1 = “SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command” fullword wide	CC BY-NC 4.0
signature-base	apt_sednit_delphidownloader.yar	$s3 = “4D6F7A696C6C612076352E31202857696E646F7773204E5420362E313B2072763A362E302E3129204765636B6F2F32303130303130312046697265666F782F36” ascii /* hex encoded string ‘Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1’ */	CC BY-NC 4.0
signature-base	apt_sofacy_xtunnel_bundestag.yar	$variant21 = “User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0”	CC BY-NC 4.0
signature-base	apt_sofacy_xtunnel_bundestag.yar	$x1 = “User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/” wide	CC BY-NC 4.0
signature-base	apt_sofacy_xtunnel_bundestag.yar	$x2 = “User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2” wide	CC BY-NC 4.0
signature-base	apt_unit78020_malware.yar	$s2 = “User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7” fullword ascii	CC BY-NC 4.0
signature-base	apt_unit78020_malware.yar	$s3 = “%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles” fullword wide	CC BY-NC 4.0
signature-base	apt_vpnfilter.yar	$a1 = “Mozilla/5.0 Firefox/50.0” fullword ascii	CC BY-NC 4.0
signature-base	apt_vpnfilter.yar	$a2 = “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0” fullword ascii	CC BY-NC 4.0
signature-base	apt_vpnfilter.yar	$a3 = “Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0” fullword ascii	CC BY-NC 4.0
signature-base	apt_zxshell.yar	$u3 = “User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0” fullword ascii	CC BY-NC 4.0
signature-base	cn_pentestset_tools.yar	$s3 = “Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0” fullword wide /* PEStudio Blacklist: strings */	CC BY-NC 4.0
signature-base	crime_andromeda_jun17.yar	$x4 = “firefox.exe.exe” fullword wide	CC BY-NC 4.0
signature-base	crime_bad_patch.yar	$s3 = “\AppData\Roaming\Mozilla\Firefox\Profiles” fullword wide	CC BY-NC 4.0
signature-base	crime_mal_nitol.yar	$s3 = “User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0” fullword ascii	CC BY-NC 4.0
signature-base	crime_rombertik_carbongrabber.yar	$s5 = “firefox.exe” fullword ascii	CC BY-NC 4.0
signature-base	crime_socgholish.yar	$b1 = “Firefox.js” ascii	CC BY-NC 4.0
signature-base	generic_anomalies.yar	description = “Detects uncommon file size of firefox.exe”	CC BY-NC 4.0
signature-base	generic_anomalies.yar	and filename == “firefox.exe”	CC BY-NC 4.0
signature-base	gen_anomalies_keyword_combos.yar	$fp5 = “Firefox Helper” wide fullword	CC BY-NC 4.0
signature-base	gen_p0wnshell.yar	$x1 = “Now if we point Firefox to http://127.0.0.1” fullword ascii	CC BY-NC 4.0
signature-base	gen_tscookie_rat.yar	$x2 = “———————– Firefox Passwords ——————” fullword ascii	CC BY-NC 4.0