» icreinstall_winamp-full-5666-build-3516-32-bits.exe
Overview
Analysis
File Details
Downloads (1)
Network (3)

icreinstall_winamp-full-5666-build-3516-32-bits.exe

ISBRInstaller

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_winamp-full-5666-build-3516-32-bits.exe by ISBRInstaller has been detected as adware by 24 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from esd.baixaki.com.br. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.

File name:

Publisher:

ISBRInstaller (signed and verified)

MD5:

206d98be52823ae122efc66e8ceef113

SHA-1:

5797a320d7c035b49fbbed5bfb186a8654eb7ba6

SHA-256:

c5abbe7f1fb31d960b2d47ed0c91afb06d7afece162107a8d820fa066c0756a7

Scanner detections:

24 / 68

Status:

Adware

Explanation:

Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/16/2024 1:50:30 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.Agent.NXJ

911

Agnitum Outpost

PUA.InstallCore

7.1.1

AVG

MalSign.InstallC

2015.0.3389

Bitdefender

Adware.Agent.NXJ

1.0.20.1095

Bkav FE

W32.Clodfa4.Trojan

1.3.0.4613

Comodo Security

Application.Win32.Installcore.ES

17612

Dr.Web

Adware.InstallCore.133

9.0.1.0356

Emsisoft Anti-Malware

Adware.Agent.NXJ

8.14.08.07.08

ESET NOD32

Win32/InstallCore.ES (variant)

7.9179

Fortinet FortiGate

Riskware/Vittalia

8/7/2014

F-Secure

Adware.Agent.NXJ

11.2014-07-08_5

G Data

Adware.Agent.NXJ

14.8.24

herdProtect (fuzzy)

variant of comodo-icedragon-26001-32-bits.exe (Adware)

2013.12.22.21

K7 AntiVirus

Unwanted-Program

13.176.11684

Malwarebytes

PUP.Optional.InstallCore.A

v2014.08.07.08

McAfee

Artemis!1A5F0EC5A521

5600.7220

MicroWorld eScan

Adware.Agent.NXJ

15.0.0.657

nProtect

Adware.Agent.NXJ

14.03.18.01

Reason Heuristics

PUP.ISBRInstaller.p

14.8.7.20

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.131220

Sophos

Install Core Click run software

4.97

Trend Micro House Call

TROJ_GEN.F47V1215

7.2.45

Vba32 AntiVirus

Downware.InstallCore

3.12.24.3

VIPRE Antivirus

Trojan.Win32.Generic

25450

File size:

608.5 KB (623,136 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore (using Inno Setup)

Common path:

C:\users\{user}\appdata\local\temp\icreinstall_winamp-full-5666-build-3516-32-bits.exe

Digital Signature

Signed by:

ISBRInstaller

Authority:

COMODO CA Limited

Valid from:

7/16/2013 9:00:00 PM

Valid to:

7/17/2014 8:59:59 PM

Subject:

CN=ISBRInstaller, O=ISBRInstaller, STREET=Ronthschilde 63, L=Tel Aviv, S=Tel Aviv, PostalCode=6527319, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

158EF632B1D9C77CF5AAB6A9367E7FCE

File PE Metadata

Compilation timestamp:

6/19/1992 7:22:17 PM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:ESyMJfsG0CvmjOPw43JmkynqNPr4ucXt3Ru/YBcqoqc+t4Iv0eI:ESyMJfskaOPweGMr4XlvBQqcnIMeI

Entry address:

0x98CC

Entry point:

55, 8B, EC, 83, C4, CC, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, FA, 97, FF, FF, E8, 01, AA, FF, FF, E8, 2C, CC, FF, FF, E8, 73, CC, FF, FF, E8, 0A, F3, FF, FF, E8, 71, F4, FF, FF, 33, C0, 55, 68, 76, 9F, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 2C, 9F, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, B0, 40, 00, E8, 9B, FE, FF, FF, E8, 26, FA, FF, FF, 8D, 55, F0, 33, C0, E8, E0, D0, FF, FF, 8B, 55, F0, B8, D8, BD, 40, 00, E8, AB, 98, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, D8, BD, 40, 00, B2, 01, B8... 
[+]

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

36 KB (36,864 bytes)

The file icreinstall_winamp-full-5666-build-3516-32-bits.exe has been seen being distributed by the following URL.

http://esd.baixaki.com.br/programas/7597/.../winamp-full-5666-build-3516-32-bits.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to os.solvefile.com (207.189.109.121:80)

TCP (HTTP):

Connects to cdnus.solvefile.com (207.189.109.121:80)

TCP (HTTP):

Connects to cdneu.webfilescdn.com (65.254.40.36:80)

Remove icreinstall_winamp-full-5666-build-3516-32-bits.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.