winrar 5.40.exe

Lularuko

Ringier Axel Springer Polska Sp z o.o.

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application winrar 5.40.exe, “Lularuko Setup ” by Ringier Axel Springer Polska Sp z o.o has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The installer is marketed through download protals and search ads as WinRAR archiver but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
Sekisanar   (signed by Ringier Axel Springer Polska Sp z o.o.)

Product:
Lularuko

Description:
Lularuko Setup

MD5:
0032c1e8a94c94bb98c00ba510c11e95

SHA-1:
878666462b98ea388b223dd921c9c99bc3eee492

SHA-256:
2cafb80198ecd3c70d49d39e6025c78e5fb398050f233d3e9325a5247411fc14

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
9/22/2020 9:47:53 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore (M)
17.3.16.2

File size:
1.2 MB (1,261,576 bytes)

Product version:
3.3

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\downloads\winrar 5.40.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
3/30/2016 1:52:52 PM

Valid to:
5/21/2017 12:59:59 PM

Subject:
CN=Ringier Axel Springer Polska Sp z o.o., O=Ringier Axel Springer Polska Sp z o.o., L=Warszawa, C=PL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121B967A60661EAF04C09AF81768FCD8FB6

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file winrar 5.40.exe has been seen being distributed by the following URL.

http://www.bytesendclear.com/blNSQFTlJedJpQ4JsvLtGQtID0m0tXLn _fdy2vwnp7vZy8DE5 4mQrtgl7khVhglJPEaJvkXTvMoXeLxWkikMLX8fNYkpvsUCqeJSTKt97YOm8Ib6VBp7gtCB0UP9V6F3dWen6QFvyFspcI1zQb ki0dP2GSjdMz98qTFpfHB2AjaiWIWfaYLIFJj6PZWLtzY4SlH72xoQ3wULnfI5PlxL HXPogQDF4PrsD2iLrq0KxbCyxJF8i512zZD6EEeum6JxYdqGnY8JjAhLGl2grik7aQ7cFj12SdOIo82KFGFAwMp_4ZSIdCFLrsVoZR7VyGPJT_1ZY1Hdf8E9lsH iFipMLH7JEyjsDnnA rVDeNa2ft73HKdu _dGtXO 33hYb4WlgiAxcc36AFOpb_IS29FO7Md9hMcjDVk6Zuq5jm565Ur8J8DjbFxKUnfLlZ5Llu1Eb4jc5FAg9tEEwIQX_ZojEiGiHDfd7GwQvoHSVuR7i615Tlqf N 0y1ZW6Yud4fdHkjF8bXKBvYoZkDC64s 5DW9flrHdHK2cAUX0r5QJFW9LmiE6nBiftrrY8L8F1Lc6O7fwLIUP4i_AKCwrmE7a9nddJNQ2aM_WJKFX6wAboqbvGo=-G2cAAGRwXkx3SIuX44QT4JADh aegCaBxtj5woO 7nGGMXCnex12TGb9cAWuX_2OjpgoPxYdo3DDO8_Z7_GTiL1_TaYH_1fBlPu9HquQAUDn jTeXa8r6PNXw4=

Remove winrar 5.40.exe - Powered by Reason Core Security