icreinstall_updatestarlb_en.exe

UpdateStar GmbH

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_updatestarlb_en.exe by UpdateStar GmbH has been detected as a potentially unwanted program by 23 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from client.updatestar.com. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
UpdateStar GmbH  (signed and verified)

MD5:
b2f79cd59be907ccd3fb37e535fb20d8

SHA-1:
15b15a840f09ffb10c42f99ee3656f0dbf950859

SHA-256:
4f4e3aadb01d07cf672e0342e7ed903e1a4f4c4e785eef7a69916beff8ea48b2

Scanner detections:
23 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
3/6/2021 12:35:58 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Trojan.Heur2.GZ.PGZ@bqkIzwki
1019

Agnitum Outpost
Trojan.MulDrop
7.1.1

Avira AntiVirus
7.11.144.52

AVG
MalSign.InstallC
2015.0.3497

Baidu Antivirus
Adware.Win32.InstallCore
4.0.3.14421

Bitdefender
Gen:Trojan.Heur2.GZ.PGZ@bqkIzwki
1.0.20.555

Comodo Security
Application.Win32.InstallCore.BWAN
18125

Dr.Web
Trojan.MulDrop5.10078
9.0.1.0111

Emsisoft Anti-Malware
Gen:Trojan.Heur2.GZ.PGZ@bqkIzwki
8.14.04.21.03

ESET NOD32
Win32/InstallCore.LX (variant)
8.9694

Fortinet FortiGate
Riskware/InstallCore
4/21/2014

F-Secure
Gen:Trojan.Heur2.GZ.PGZ@bqkIzwki
11.2014-21-04_2

G Data
Gen:Trojan.Heur2.GZ.PGZ@bqkIzwki
14.4.24

IKARUS anti.virus
Trojan.Win32.Spy2
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.176.11806

Malwarebytes
v2014.04.21.03

McAfee
Artemis!B2F79CD59BE9
5600.7153

MicroWorld eScan
Gen:Trojan.Heur2.GZ.PGZ@bqkIzwki
15.0.0.333

Qihoo 360 Security
Win32/Virus.Adware.94c
1.0.0.1015

Reason Heuristics
PUP.UpdateStarGmbH.BB
14.4.21.15

Sophos
Install Core Installer
4.98

Trend Micro House Call
TROJ_GEN.F47V0408
7.2.111

VIPRE Antivirus
Adware.Win32.InstallCore.ba
28352

File size:
668.1 KB (684,088 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_updatestarlb_en.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
1/1/2013 7:00:00 PM

Valid to:
1/2/2016 6:59:59 PM

Subject:
CN=UpdateStar GmbH, O=UpdateStar GmbH, STREET=Hauptstraße 20, L=Berlin, S=Berlin, PostalCode=10827, C=DE

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
009ED227324380B40DDE36C8D31A33831F

File PE Metadata
Compilation timestamp:
6/19/1992 5:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:0EnvpPgfwvLYDZtzRgNoU+9qu9OToO6bXUk+t3Nbsd2T33v3ldbrT:0EnvtiwTYDZtzWoL9qmOsOn9Ad2T33v3

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.8044

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file icreinstall_updatestarlb_en.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

Remove icreinstall_updatestarlb_en.exe - Powered by Reason Core Security