home

icreinstall_winrar-420-baixaki-32-bits.exe

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_winrar-420-baixaki-32-bits.exe has been detected as adware by 15 anti-malware scanners. The program is a setup application that uses the installCore installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. With this installer, users are expecting to download WinRAR archiver but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
MD5:
51c462d05d87705660e15dbfeb2f5dab

SHA-1:
9ec11dc5a8f3e166a609aa3934eb029ba4fd577b

SHA-256:
72a46915f57a5d564230b62716a1b8ea0b09f781152d58989635015189d70e40

Scanner detections:
15 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/26/2024 8:51:10 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Generic.559747
1115

Avira AntiVirus
Adware/Installco.AB
7.11.124.210

Bitdefender
Adware.Generic.559747
1.0.20.80

Comodo Security
UnclassifiedMalware
17597

Dr.Web
Adware.InstallCore.76
9.0.1.016

Emsisoft Anti-Malware
Adware.Generic.559747
8.14.01.16.11

ESET NOD32
Win32/InstallCore.BA (variant)
8.9279

F-Secure
Adware.Generic.559747
11.2014-16-01_5

G Data
Adware.Generic.559747
14.1.22

Malwarebytes
PUP.AdBundle
v2014.01.16.11

MicroWorld eScan
Adware.Generic.559747
15.0.0.48

NANO AntiVirus
Trojan.Win32.InstallCore.cqqkpf
0.28.0.57029

Rising Antivirus
PE:Trojan.Win32.Generic.141AB68B!337294987
23.00.65.14114

SUPERAntiSpyware
PUP.AdBundle
10842

VIPRE Antivirus
InstallCore
25348

File size:
1.1 MB (1,178,864 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_winrar-420-baixaki-32-bits.exe

File PE Metadata
Compilation timestamp:
6/19/1992 7:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:dCbb3HF2KzBlRdN9AztvlQlJ/wAInrb08bfhVwg3GnmoAg2jab9V7nBclQOkq27q:dIb3HF2KzBlrN96tvlQlJ/wA+rb08bf1

Entry address:
0xD4EF0

Entry point:
55, 8B, EC, 83, C4, F0, B8, 50, 44, 41, 00, E8, 0E, CD, FF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
865.5 KB (886,272 bytes)

The file icreinstall_winrar-420-baixaki-32-bits.exe has been seen being distributed by the following URL.

http://dl.baixaki.com.br/programas/.../winrar-420-baixaki-32-bits.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

Remove icreinstall_winrar-420-baixaki-32-bits.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.