firefox.exe

  • File Path: C:\Program Files\Mozilla Firefox\firefox.exe
  • Description: Firefox

Hashes

Type Hash
MD5 2E9D3F170BE8451F3DAE9D0EB8EE2A6E
SHA1 8A215E01D3DB881A460756CA40F605745462563F
SHA256 A6B9B90FE4467771F8AF298D1ACCF28E94BB3DE0912D4CFE45A4049C5A4E46F8
SHA384 5E19F69BBE58327A098F018C4094318F4311E018841DCBAAD065D377B6AE5A5344F6B4A1CD7040BB345C2C21D394ECFB
SHA512 75E436F51FA76A1152792B1B613BBD9D112F7CBFBBDD14C1ABDAAC3BD90ACD69CD84C3836E61BC18E1E1BB3BB8887BC12A0BC6D3C3DA5A422B62FC1966715C54
SSDEEP 12288:RrfuYfOPhhNVVJdATxgHzwHJem7OzwHJeNq:RrWYfgDaTxAwpemIwpeNq
IMP 33A2C52411E5518D74C6B096934612F4
PESHA1 C0D0986635A1243AF870AB9B4D774C3C5B0974E4
PE256 2406977468665FD50F9419EFDC3F6B0274A504D688F77641C5E60269D60587B8

Runtime Data

Usage (stdout):

Usage: C:\Program Files\Mozilla Firefox\firefox.exe [ options ... ] [URL]
       where options include:

  -h or --help       Print this message.
  -v or --version    Print Firefox version.
  --full-version     Print Firefox version, build and platform build ids.
  -P <profile>       Start with <profile>.
  --profile <path>   Start with profile at <path>.
  --migration        Start with migration wizard.
  --ProfileManager   Start with ProfileManager.
  --no-remote        Do not accept or send remote commands; implies
                     --new-instance.
  --new-instance     Open new instance, not a new window in running instance.
  --safe-mode        Disables extensions and themes for this session.
  --allow-downgrade  Allows downgrading a profile.
  --MOZ_LOG=<modules> Treated as MOZ_LOG=<modules> environment variable,
                     overrides it.
  --MOZ_LOG_FILE=<file> Treated as MOZ_LOG_FILE=<file> environment variable,
                     overrides it. If MOZ_LOG_FILE is not specified as an
                     argument or as an environment variable, logging will be
                     written to stdout.
  --console          Start Firefox with a debugging console.
  --headless         Run without a GUI.
  --ssb <uri>        Open a site specific browser for <uri>.
  --browser          Open a browser window.
  --new-window <url> Open <url> in a new window.
  --new-tab <url>    Open <url> in a new tab.
  --private-window <url> Open <url> in a new private window.
  --preferences      Open Options dialog.
  --screenshot [<path>] Save screenshot to <path> or in working directory.
  --window-size width[,height] Width and optionally height of screenshot.
  --search <term>    Search <term> with your default search engine.
  --setDefaultBrowser Set this app as the default browser.
  --first-startup    Run post-install actions before opening a new window.
  --kiosk Start the browser in kiosk mode.
  --jsconsole        Open the Browser Console.
  --jsdebugger [<path>] Open the Browser Toolbox. Defaults to the local build
                     but can be overridden by a firefox path.
  --wait-for-jsdebugger Spin event loop until JS debugger connects.
                     Enables debugging (some) application startup code paths.
                     Only has an effect when `--jsdebugger` is also supplied.
  --devtools         Open DevTools on initial load.
  --start-debugger-server [ws:][ <port> | <path> ] Start the devtools server on
                     a TCP port or Unix domain socket path. Defaults to TCP port
                     6000. Use WebSocket protocol if ws: prefix is specified.
  --recording <file> Record drawing for a given URL.
  --recording-output <file> Specify destination file for a drawing recording.

Child Processes:

firefox.exe

Loaded Modules:

Path
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\mozglue.dll
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 0DDEB53F957337FBEAF98C4A615B149D
  • Thumbprint: 91CABEA509662626E34326687348CAF2DD3B4BBA
  • Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: E=”release+certificates@mozilla.com”, CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=Mountain View, S=California, C=US

File Metadata

  • Original Filename: firefox.exe
  • Product Name: Firefox
  • Company Name: Mozilla Corporation
  • File Version: 81.0
  • Product Version: 81.0
  • Language: Language Neutral
  • Legal Copyright: Firefox and Mozilla Developers; available under the MPL 2 license.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/a6b9b90fe4467771f8af298d1accf28e94bb3de0912d4cfe45a4049c5a4e46f8/detection/

File Similarity (ssdeep match)

File Score
C:\program files\Mozilla Firefox\firefox.exe 50
C:\Program Files\Mozilla Firefox\firefox.exe 41
C:\Program Files\Mozilla Firefox\firefox.exe 44

Possible Misuse

The following table contains possible examples of firefox.exe being misused. While firefox.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proxy_ua_apt.yml - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/ DRL 1.0
sigma proxy_ua_frameworks.yml - 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0' DRL 1.0
sigma proxy_ua_frameworks.yml - 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0' DRL 1.0
sigma proxy_ua_hacktool.yml - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper DRL 1.0
sigma proxy_ua_malware.yml - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality DRL 1.0
sigma proxy_ua_malware.yml - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality DRL 1.0
sigma proxy_ua_suspicious.yml - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html DRL 1.0
sigma win_suspicious_outbound_kerberos_connection.yml - '\firefox.exe' DRL 1.0
sigma dns_query_win_susp_ipify.yml - \firefox.exe DRL 1.0
sigma file_event_win_mal_vhd_download.yml - firefox.exe DRL 1.0
sigma net_connection_win_suspicious_outbound_kerberos_connection.yml - '\firefox.exe' DRL 1.0
sigma posh_ps_access_to_browser_login_data.yml - '\Mozilla\Firefox\Profiles' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\firefox.exe' DRL 1.0
sigma proc_creation_win_tor_browser.yml - '\Tor Browser\Browser\firefox.exe' DRL 1.0
sigma registry_event_dns_over_https_enabled.yml - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS DRL 1.0
sigma registry_event_dns_over_https_enabled.yml TargetObject\|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled' DRL 1.0
sigma registry_event_taskcache_entry.yml - '\TaskCache\Tree\Mozilla\Firefox Default Browser Agent ' DRL 1.0
sigma registry_event_taskcache_entry.yml - '\TaskCache\Tree\Mozilla\Firefox Background Update ' DRL 1.0
sigma sysmon_process_hollowing.yml - '\firefox.exe' DRL 1.0
malware-ioc keydnap \| 773a82343367b3d09965f6f09cc9887e7f8f01bf \| screenshot.jpg \| 2016-05-07 \| hxxp://dev.aneros.com/media/icloudsyncd \| Firefox 20 about screenshot © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0", © ESET 2014-2018
malware-ioc kryptocibule - Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc mispadu \| F6021380AD6E26038B5629189A7ADA5E0022C313 \| Mozilla Firefox credential stealer \| Win32/PSWTool.PassFox.F © ESET 2014-2018
malware-ioc mumblehard - Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/<1 or more digits>.<1 or more digits>.<1 or more digits> Firefox/7.0.1``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc mumblehard - Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc oceanlotus \|a40ee8ff313e59aa92d48592c494a4c3d81449af\|Firefox Installer.exe \|Win32/TrojanDropper.Agent.RUI © ESET 2014-2018
malware-ioc 2020_Q2 === Firefox addons © ESET 2014-2018
malware-ioc rtm Firefox © ESET 2014-2018
malware-ioc rtm firefox.exe © ESET 2014-2018
malware-ioc misp-turla-crutch-event.json "value": "%PROGRAMFILES%\\(x86)\\Mozilla Firefox\\rasadhlp.dll", © ESET 2014-2018
malware-ioc turla * ++C:\Program Files (x86)\Mozilla Firefox\rasadhlp.dll++``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team index.md - Atomic Test #6: Simulating access to Windows Firefox Login Data [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Firefox [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #3: Firefox [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #3: Firefox [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: Simulating access to Windows Firefox Login Data [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Firefox [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows] MIT License. © 2018 Red Canary
atomic-red-team T1176.md - Atomic Test #3 - Firefox MIT License. © 2018 Red Canary
atomic-red-team T1176.md ## Atomic Test #3 - Firefox MIT License. © 2018 Red Canary
atomic-red-team T1217.md - Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux MIT License. © 2018 Red Canary
atomic-red-team T1217.md - Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS MIT License. © 2018 Red Canary
atomic-red-team T1217.md - Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt MIT License. © 2018 Red Canary
atomic-red-team T1217.md ## Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux MIT License. © 2018 Red Canary
atomic-red-team T1217.md Searches for Mozilla Firefox’s places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file. MIT License. © 2018 Red Canary
atomic-red-team T1217.md | output_file | Path where captured results will be placed. | Path | /tmp/T1217-Firefox.txt| MIT License. © 2018 Red Canary
atomic-red-team T1217.md find / -path “.mozilla/firefox//places.sqlite” 2>/dev/null -exec echo {} » #{output_file} \; MIT License. © 2018 Red Canary
atomic-red-team T1217.md ## Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS MIT License. © 2018 Red Canary
atomic-red-team T1217.md Searches for Mozilla Firefox’s places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file. MIT License. © 2018 Red Canary
atomic-red-team T1217.md find / -path “/Firefox/Profiles//places.sqlite” -exec echo {} » #{output_file} \; MIT License. © 2018 Red Canary
atomic-red-team T1217.md ## Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt MIT License. © 2018 Red Canary
atomic-red-team T1217.md Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database. MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager. MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md - Atomic Test #6 - Simulating access to Windows Firefox Login Data MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ## Atomic Test #6 - Simulating access to Windows Firefox Login Data MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Simulates an adversary accessing encrypted credentials from firefox web browser’s login database. MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Copy-Item “$env:APPDATA\Mozilla\Firefox\Profiles" -Destination $env:temp -Force -Recurse MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ##### Description: Firefox must be installed MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md if ((Test-Path “C:\Program Files\Mozilla Firefox\firefox.exe”) -Or (Test-Path “C:\Program Files (x86)\Mozilla Firefox\firefox.exe”)) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md if ($env:PROCESSOR_ARCHITECTURE -eq ‘AMD64’) {$url=”https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US”}else {$url=”https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US”} MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ##### Description: Firefox login data file must exist MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md if (Test-Path “$env:APPDATA\Mozilla\Firefox\Profiles") {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md if ($env:PROCESSOR_ARCHITECTURE -eq ‘AMD64’) {$firefox=”C:\Program Files\Mozilla Firefox\firefox.exe”}else {$firefox=”C:\Program Files (x86)\Mozilla Firefox\firefox.exe”} MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Start-Process $firefox -ArgumentList ‘-CreateProfile Atomic’ -Wait MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Start-Process $firefox -NoNewWindow MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Stop-Process -Name firefox MIT License. © 2018 Red Canary
signature-base apt_apt30_backspace.yar $s4 = “(C)Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL” wide CC BY-NC 4.0
signature-base apt_apt37_bluelight.yar $chrome9 = “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0” CC BY-NC 4.0
signature-base apt_bluetermite_emdivi.yar $s2 = “\Mozilla\Firefox\Profiles\” fullword ascii CC BY-NC 4.0
signature-base apt_casper.yar $s2 = “firefox.exe” fullword ascii CC BY-NC 4.0
signature-base apt_casper.yar $x2 = “\Roaming\Mozilla\Firefox\Profiles\*” fullword ascii CC BY-NC 4.0
signature-base apt_casper.yar $x3 = “\Mozilla\Firefox\Profiles\*” fullword ascii CC BY-NC 4.0
signature-base apt_danti_svcmondr.yar $s3 = “%s\Mozilla\Firefox\profiles.ini” fullword ascii CC BY-NC 4.0
signature-base apt_dragonfly.yar $s4 = “******* Mozilla Firefox ******” fullword wide CC BY-NC 4.0
signature-base apt_dtrack.yar $s2 = “%s\%s\AppData\Roaming\Mozilla\Firefox\Profiles” fullword ascii CC BY-NC 4.0
signature-base apt_duqu2.yar $x1 = “Mozilla/5.0 (Windows NT 6.1; U; ru; rv:5.0.1.6) Gecko/20110501 Firefox/5.0.1 Firefox/5.0.1” fullword wide CC BY-NC 4.0
signature-base apt_duqu2.yar $x4 = “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110612 Firefox/6.0a2” fullword wide CC BY-NC 4.0
signature-base apt_eqgrp.yar $x1 = “firefox http://127.0.0.1:8000/$_name” fullword ascii CC BY-NC 4.0
signature-base apt_freemilk.yar $s1 = “SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command” fullword wide CC BY-NC 4.0
signature-base apt_golddragon.yar $s6 = “Mozilla/5.0 (Windows NT 5.2; rv:12.0) Gecko/20100101 Firefox/12.0” fullword ascii CC BY-NC 4.0
signature-base apt_grizzlybear_uscert.yar $STR3 = “User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0” ascii wide CC BY-NC 4.0
signature-base apt_rokrat.yar $s1 = “SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command” fullword wide CC BY-NC 4.0
signature-base apt_sednit_delphidownloader.yar $s3 = “4D6F7A696C6C612076352E31202857696E646F7773204E5420362E313B2072763A362E302E3129204765636B6F2F32303130303130312046697265666F782F36” ascii /* hex encoded string ‘Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1’ */ CC BY-NC 4.0
signature-base apt_sofacy_xtunnel_bundestag.yar $variant21 = “User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0” CC BY-NC 4.0
signature-base apt_sofacy_xtunnel_bundestag.yar $x1 = “User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/” wide CC BY-NC 4.0
signature-base apt_sofacy_xtunnel_bundestag.yar $x2 = “User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2” wide CC BY-NC 4.0
signature-base apt_unit78020_malware.yar $s2 = “User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7” fullword ascii CC BY-NC 4.0
signature-base apt_unit78020_malware.yar $s3 = “%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles” fullword wide CC BY-NC 4.0
signature-base apt_vpnfilter.yar $a1 = “Mozilla/5.0 Firefox/50.0” fullword ascii CC BY-NC 4.0
signature-base apt_vpnfilter.yar $a2 = “Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0” fullword ascii CC BY-NC 4.0
signature-base apt_vpnfilter.yar $a3 = “Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0” fullword ascii CC BY-NC 4.0
signature-base apt_zxshell.yar $u3 = “User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar $s3 = “Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base crime_andromeda_jun17.yar $x4 = “firefox.exe.exe” fullword wide CC BY-NC 4.0
signature-base crime_bad_patch.yar $s3 = “\AppData\Roaming\Mozilla\Firefox\Profiles” fullword wide CC BY-NC 4.0
signature-base crime_mal_nitol.yar $s3 = “User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0” fullword ascii CC BY-NC 4.0
signature-base crime_rombertik_carbongrabber.yar $s5 = “firefox.exe” fullword ascii CC BY-NC 4.0
signature-base crime_socgholish.yar $b1 = “Firefox.js” ascii CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of firefox.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “firefox.exe” CC BY-NC 4.0
signature-base gen_anomalies_keyword_combos.yar $fp5 = “Firefox Helper” wide fullword CC BY-NC 4.0
signature-base gen_p0wnshell.yar $x1 = “Now if we point Firefox to http://127.0.0.1” fullword ascii CC BY-NC 4.0
signature-base gen_tscookie_rat.yar $x2 = “———————– Firefox Passwords ——————” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.