» wondershare-dr.fone-for-ios-3.5.1.2-key_bitlord.exe
Overview
Analysis
File Details
Network (2)

wondershare-dr.fone-for-ios-3.5.1.2-key_bitlord.exe

Coolapptech

The file is a bundle distribution and utilizes the installCore download manager to distribute this potentially unwanted software. The application wondershare-dr.fone-for-ios-3.5.1.2-key_bitlord.exe by Coolapptech has been detected as adware by 17 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. While running, it connects to the Internet address ns513839.ip-167-114-156.net on port 80 using the HTTP protocol.

File name:

Publisher:

Coolapptech (signed and verified)

MD5:

860943ff430999d0225c68522c48ccf8

SHA-1:

1e022437000c58a8fb3deaaedf1c478e65af2e5d

SHA-256:

eb617aa2b251955dcf969bb0a7d455d8b3e86f6014542d0c099b5417622f2d83

Scanner detections:

17 / 68

Status:

Adware

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/18/2024 5:41:24 PM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.InstallCore

7.1.1

Avira AntiVirus

W32/Ramnit.C

7.11.30.172

avast!

Win32:Adware-gen [Adw]

150531-1

AVG

Adware InstallCore.VX

2014.0.4311

Clam AntiVirus

Win.Adware.Installcore-550

0.98/20540

Dr.Web

Trojan.Packed.24524

9.0.1.05190

ESET NOD32

Win32/InstallCore.BY potentially unwanted application

7.0.302.0

F-Prot

W32/A-42c63c6c

v6.4.7.1.166

K7 AntiVirus

Unwanted-Program

13.204.16117

Malwarebytes

PUP.Optional.InstallCore

v2015.06.02.07

NANO AntiVirus

Riskware.Win32.InstallCore.dcnbhv

0.30.24.1636

Panda Antivirus

PUP/MultiToolbar.A

15.06.02.07

Reason Heuristics

PUP.Installer.Coolapptech

15.6.2.19

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.15531

Sophos

PUA 'Install Core Click run software'

5.14

Vba32 AntiVirus

Downware.InstallCore

3.12.26.4

VIPRE Antivirus

Threat.5063361

40552

File size:

700.1 KB (716,896 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore (using Inno Setup)

Common path:

C:\users\{user}\downloads\wondershare-dr.fone-for-ios-3.5.1.2-key_bitlord.exe

Digital Signature

Signed by:

Coolapptech

Authority:

COMODO CA Limited

Valid from:

11/20/2012 4:00:00 AM

Valid to:

11/21/2015 3:59:59 AM

Subject:

CN=Coolapptech, O=Coolapptech, STREET=63 Rothscild Blvd., L=Tel-Aviv, S=NA, PostalCode=65785, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00D28ED186DB6C8A2BF5BCE40679032191

File PE Metadata

Compilation timestamp:

6/20/1992 2:22:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

12288:cMJfsG35xx2yDGl5yfPgSPSs4/dXlDRoZVIlBPQhfE8P5imFJH:cMJfsKWyDwi6scdX1RsVwhKPXF

Entry address:

0x98CC

Entry point:

55, 8B, EC, 83, C4, CC, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, FA, 97, FF, FF, E8, 01, AA, FF, FF, E8, 2C, CC, FF, FF, E8, 73, CC, FF, FF, E8, 0A, F3, FF, FF, E8, 71, F4, FF, FF, 33, C0, 55, 68, 76, 9F, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 2C, 9F, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, B0, 40, 00, E8, 9B, FE, FF, FF, E8, 26, FA, FF, FF, 8D, 55, F0, 33, C0, E8, E0, D0, FF, FF, 8B, 55, F0, B8, D8, BD, 40, 00, E8, AB, 98, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, D8, BD, 40, 00, B2, 01, B8... 
[+]

Entropy:

7.8530

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

36 KB (36,864 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ns513839.ip-167-114-156.net (167.114.156.214:80)

TCP (HTTP):

Connects to a184-25-63-19.deploy.static.akamaitechnologies.com (184.25.63.19:80)

Remove wondershare-dr.fone-for-ios-3.5.1.2-key_bitlord.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.