home

icreinstall_avast_free_downloader.exe

New Software S.C.

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_avast_free_downloader.exe by New Software S.C has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The installer is marketed through download protals and search ads as the free AVAST Antivirus but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
New Software S.C.  (signed and verified)

MD5:
272276a1f9d5327416123f094abd5d24

SHA-1:
e41a0e072405231083f2f433dbb90870bcef6d78

SHA-256:
0ded8fd732f8658d9957ebb25ca9be3be07ca6a6c5ee1b2eec74d0d466103a00

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
6/18/2025 1:32:23 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore.NewSoftw (M)
16.6.23.1

File size:
1.1 MB (1,114,856 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Digital Signature
Signed by:
New Software S.C.

Authority:
COMODO CA Limited

Valid from:
8/27/2012 2:00:00 AM

Valid to:
8/28/2013 1:59:59 AM

Subject:
CN=New Software S.C., O=New Software S.C., STREET=ul. Jana Pawla II 15/18, L=Zagan, S=NA, PostalCode=68-100, C=PL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DB12D12A46E4B099C0E54C816A9A760D

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:8nRT7ySym7a1ZeaCFqQfUb2l/SVRF10b50YekWmM88TYAeudjTjKRwFsStnFc+6z:8nRT7ySym7a1ZeaCFqQfUby/SVRF10bL

Entry address:
0xCAA10

Entry point:
55, 8B, EC, 83, C4, F0, B8, 30, F6, 40, 00, E8, 6B, FE, FF, FF, C0, FF, 25, A4, 01, 47, 00, 8B, C0, FF, 25, A0, 01, 47, 00, 8B, C0, FF, 25, 9C, 01, 47, 00, 8B, C0, FF, 25, 98, 01, 47, 00, 8B, C0, FF, 25, 94, 01, 47, 00, 8B, C0, FF, 25, 90, 01, 47, 00, 8B, C0, FF, 25, 8C, 01, 47, 00, 8B, C0, FF, 25, CC, 01, 47, 00, 8B, C0, FF, 25, 88, 01, 47, 00, 8B, C0, FF, 25, C8, 01, 47, 00, 8B, C0, FF, 25, 84, 01, 47, 00, 8B, C0, FF, 25, 80, 01, 47, 00, 8B, C0, FF, 25, 7C, 01, 47, 00, 8B, C0, FF, 25, 78, 01, 47, 00, 8B...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
826 KB (845,824 bytes)

The file icreinstall_avast_free_downloader.exe has been seen being distributed by the following URL.

http://www.instalki.pl/.../get_avast_Free_Antivirus.php

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_avast_free_downloader.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.