home

icreinstall_viber.exe

Installer Program

Advertiso GmbH

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_viber.exe, “Installer Program Setup ” by Advertiso GmbH has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from tmpfile623.s3.amazonaws.com. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
Application Lite Program   (signed by Advertiso GmbH)

Product:
Installer Program

Description:
Installer Program Setup

MD5:
02c73034148e9758cba433d866e06735

SHA-1:
97c89e7b63510eced2a11f9d2762759007524d7e

SHA-256:
c64366f48650ca8a0c5a8d9d68ac17fa1409c92092b92f757617bd6ac42e7723

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/29/2024 6:16:48 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore.Advertiso.Installer (M)
16.1.29.1

File size:
969.2 KB (992,504 bytes)

Product version:
1.0.5

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_viber.exe

Digital Signature
Signed by:
Advertiso GmbH

Authority:
GlobalSign nv-sa

Valid from:
12/30/2015 12:39:23 PM

Valid to:
12/30/2016 12:39:23 PM

Subject:
CN=Advertiso GmbH, O=Advertiso GmbH, L=Hamburg, S=Hamburg, C=DE

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11218076537D25662FA013A20AD703FFB76D

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:61an+2EXjIHV/Zfxvx9lYW2GWll1F1nuBg6atlkKLgC:6Yn+XzIHV/xxvx9lYWbWX1TaxC

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, BF, A9, FF, FF, E8, 5E, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.9294

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file icreinstall_viber.exe has been seen being distributed by the following URL.

https://tmpfile623.s3.amazonaws.com/download77/ic_trackings/654/.../viber.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_viber.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.