» icreinstall_icreinstall_videowave-8-download.exe
Overview
Analysis
File Details
Network (2)

icreinstall_icreinstall_videowave-8-download.exe

I.T.N.T. SRL

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_icreinstall_videowave-8-download.exe by I.T.N.T. SRL has been detected as adware by 26 anti-malware scanners. The program is a setup application that uses the Soft32 Download Manager installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.

File name:

Publisher:

I.T.N.T. SRL (signed and verified)

MD5:

0ad0a4339f963b87aabf0f32b5a70e31

SHA-1:

20a7357d6b41c564bf7e1f63c193032555635e65

SHA-256:

4756b3203164653a9d152ffce5496df3ddab0fc7807e61a79ab156e53611a7d2

Scanner detections:

26 / 68

Status:

Adware

Explanation:

The setup file is part of the Soft32.com download and install manager. It is an ad-supported installer and attempts to get the user to install various adware toolbars, browser add-ons, game applications or other potentially unwanted programs. If a sponsored software offer such as a toolbar is installed it might change the User’s home page, default search settings and 404 traffic. Note, the software installed by Soft32 is probably safe, just the installer is unwanted.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/30/2024 8:19:07 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.InstallCore.C

986

Agnitum Outpost

PUA.InstallCore

7.1.1

AhnLab V3 Security

Adware/Win32.InstallCore

14.05.24

Avira AntiVirus

ADWARE/InstallCore.Gen

7.11.151.96

avast!

InstallCore-AJ [PUP]

140516-1

Bitdefender

Application.InstallCore.C

1.0.20.720

Clam AntiVirus

Adware.Installcore-4

0.98/19010

Comodo Security

Application.Win32.Adware.InstallCore.E

18318

Dr.Web

Adware.InstallCore.17

9.0.1.05190

ESET NOD32

Win32/InstallCore.F potentially unwanted application

7.0.302.0

F-Prot

W32/InstallCore.B.gen

4.6.5.141

F-Secure

Application.InstallCore.C

11.2014-24-05_7

G Data

Application.InstallCore

14.5.24

IKARUS anti.virus

Trojan-Downloader.Win32.Dadobra

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.178.12184

MicroWorld eScan

Application.InstallCore.C

15.0.0.432

NANO AntiVirus

Riskware.Win32.InstallCore.nrfjj

0.28.0.59921

Qihoo 360 Security

Malware.QVM11.Gen

1.0.0.1015

Reason Heuristics

PUP.ITNTSRL.m

14.5.24.15

Rising Antivirus

PE:AdWare.Win32.InstallCore.k!1075351058

23.00.65.14522

Sophos

Install Core Installer

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-InstallCore

10586

Total Defense

Win32/InstallCore.A!genus

37.0.10956

Vba32 AntiVirus

BScope.Malware-Cryptor.Sinba.C

3.12.26.0

VIPRE Antivirus

Threat.4783370

29560

Zillya! Antivirus

Adware.InstallCore.Win32.1

2.0.0.1799

File size:

521.3 KB (533,816 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

Soft32 Download Manager

Common path:

C:\Documents and Settings\{user}\Local settings\temp\icreinstall_icreinstall_videowave-8-download.exe

Digital Signature

Signed by:

I.T.N.T. SRL

Authority:

VeriSign, Inc.

Valid from:

3/22/2011 6:00:00 PM

Valid to:

3/22/2012 5:59:59 PM

Subject:

CN=I.T.N.T. SRL, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=I.T.N.T. SRL, L=Sibiu, S=Sibiu, C=RO

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

33A46E83A20B563F609E32633A83ABB7

File PE Metadata

Compilation timestamp:

6/19/1992 5:22:17 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:RYCdqrktyBcXfXOZBfkuCaGBEqrcIdnqnPLE5skoprCYomu0l7hG:arhBKX8fkuCaGyJIdnALE5lQrCHmlltG

Entry address:

0x10AA60

Entry point:

60, BE, 00, 20, 49, 00, 8D, BE, 00, F0, F6, FF, C7, 87, 10, A7, 0C, 00, B5, 49, D0, AD, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46... 
[+]

Entropy:

7.8926

Packer / compiler:

UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:

484 KB (495,616 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to os.solvefile.com (207.189.109.121:80)

TCP (HTTP):

Connects to cdnus.solvefile.com (207.189.109.121:80)

Remove icreinstall_icreinstall_videowave-8-download.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.