home

icreinstall_drpsu12.3-lite-install.exe

Kuzyakov Artur Vyacheslavovich IP

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_drpsu12.3-lite-install.exe by Kuzyakov Artur Vyacheslavovich IP has been detected as a potentially unwanted program by 10 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from drp.su and multiple other hosts. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
Kuzyakov Artur Vyacheslavovich IP  (signed and verified)

MD5:
45c6def167e601f07a1df1815b954059

SHA-1:
042bd58d3b2b44f830dbd038f0716139192e8b4c

SHA-256:
bab281057ec83e15f73f4bedea644bc453dea2265c3481de0902c33fef040ad1

Scanner detections:
10 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/23/2024 12:19:27 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/InstallCore.Gen
7.11.125.108

Comodo Security
UnclassifiedMalware
17619

Dr.Web
Adware.InstallCore.59
9.0.1.0358

ESET NOD32
Win32/InstallCore.AG (variant)
7.9296

Fortinet FortiGate
Riskware/InstallCore
12/24/2013

Norman
InstallCore.FAIX
11.20131224

Reason Heuristics
PUP.KuzyakovArturVyacheslavovichIP.b
14.2.17.0

Rising Antivirus
PE:Trojan.Win32.Generic.12E3B7AA!316913578
23.00.65.131222

Trend Micro House Call
TROJ_SPNR.0BI612
7.2.358

Trend Micro
TROJ_SPNR.0BI612
10.465.24

File size:
1 MB (1,054,920 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_drpsu12.3-lite-install.exe

Digital Signature
Signed by:
Kuzyakov Artur Vyacheslavovich IP

Authority:
COMODO CA Limited

Valid from:
2/28/2012 1:00:00 AM

Valid to:
2/28/2015 12:59:59 AM

Subject:
CN=Kuzyakov Artur Vyacheslavovich IP, O=Kuzyakov Artur Vyacheslavovich IP, STREET=24K1 Tashkentskaya ul., L=Moscow, S=Moscow, PostalCode=109472, C=RU

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
008ED5EE3D985B31936DA24E4A4CC34419

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:TozZhUfIqU9+qm8DyIi2bU8QpP7YUn4G8E:8zZhUfIqU9+n8s2bU5P7YU4t

Entry address:
0xC9940

Entry point:
55, 8B, EC, 83, C4, F0, B8, 40, 9C, 40, 00, E8, 3B, E0, FF, FF, FF, 25, 80, 11, 47, 00, 8B, C0, FF, 25, EC, 11, 47, 00, 8B, C0, FF, 25, 7C, 11, 47, 00, 8B, C0, FF, 25, 78, 11, 47, 00, 8B, C0, FF, 25, 74, 11, 47, 00, 8B, C0, FF, 25, 04, 12, 47, 00, 8B, C0, FF, 25, 00, 12, 47, 00, 8B, C0, FF, 25, FC, 11, 47, 00, 8B, C0, FF, 25, 70, 11, 47, 00, 8B, C0, FF, 25, 6C, 11, 47, 00, 8B, C0, FF, 25, 14, 12, 47, 00, 8B, C0, FF, 25, 10, 12, 47, 00, 8B, C0, FF, 25, 0C, 12, 47, 00, 8B, C0, FF, 25, 68, 11, 47, 00, 8B, C0...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
818 KB (837,632 bytes)

The file icreinstall_drpsu12.3-lite-install.exe has been seen being distributed by the following 2 URLs.

http://drp.su/.../DRPSu12.3-Lite-install.exe

http://download.drp.su/DRPSu12.3-Lite-install.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_drpsu12.3-lite-install.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.