home

icreinstall_sai-rus-pack-1.1.0-f1.exe

Tohekat

SpeedyPrompt (New Media Holdings Ltd)

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_sai-rus-pack-1.1.0-f1.exe, “Tohekat Setup ” by SpeedyPrompt (New Media Holdings) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.newtourshare.com and multiple other hosts. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
Kup   (signed by SpeedyPrompt (New Media Holdings Ltd))

Product:
Tohekat

Description:
Tohekat Setup

Version:
4.8.4.0

MD5:
fd52a5da8df85e7ec7a18efe721b5c49

SHA-1:
29eb27c9cfeb7ac7f96307127b5989dbad557049

SHA-256:
4cec143e2fa6df89a4126dfe4b50249cd1761c26294dea6d0fa67e1f2ab54ae8

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/25/2024 4:28:27 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.NewMedia.NMH (M)
16.10.21.12

File size:
951.1 KB (973,912 bytes)

Product version:
4.2

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_sai-rus-pack-1.1.0-f1.exe

Digital Signature
Signed by:
SpeedyPrompt (New Media Holdings Ltd)

Authority:
GlobalSign nv-sa

Valid from:
12/17/2015 5:27:56 PM

Valid to:
6/1/2016 7:18:59 PM

Subject:
CN=SpeedyPrompt (New Media Holdings Ltd), O=SpeedyPrompt (New Media Holdings Ltd), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11217859832E1C02CFE81458CC264243B14E

File PE Metadata
Compilation timestamp:
6/20/1992 2:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:L7MtbV/r2oxmgWeLEYb2VxnJ+cCkCMm4xQuM:LwX/r2YmHIMxY34xQD

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file icreinstall_sai-rus-pack-1.1.0-f1.exe has been seen being distributed by the following 6 URLs.

http://www.newtourshare.com/b7 YT8bEgtyhXtEBQG8dQgVnu7UmXlO_DVc7FEnFLf9ldemNLC83cmIPLev0lP8BCLocRAFYubzs6IAt2cSw6goB7OCpGgoyURaPNApT8QUWBOkyAF3NEKPE21YaI9K84UymprvK02Ll50TehSlOBnEhJbD06v4Mf3UYpsmO3l04TxZs2w HXb3Zp70uJ4ZzrgmUbdN5vfMfftCp9u41USxZ4YRsxXiPc9bKEgIIYmrm0U0J669QyJFsE0RoQzGET7Dmu5Pk8wYhVZ1KYsQPFaKpwPmy4tiG4pHbWynHCzsdXBZIPt0cvHXMZh8cxloj_SVOrpfvJByZjfRseogudZ3CjolQaYycxWJuLVh5hYNJgnFEESw=-Gx4AAAQccmiptINUUAtSyCa66I3zQN4Y WRVY5yNThw=-e

http://www.newtourshare.com/RZoe78px9tC1diaj7uwPgr xdH5gqlJlHWMDozbBu61wFTa_dUQeoQMYvxxpZD jPCnmGSgdMVZKIo8v0j8W2HGg2PYjAxhh7qKDaI8KBCc57R9f TLC2RH KTCE6kUCrIV_bbeOcOhNbJ6Kj S_nnm9QAikN9a0k FswqokgxJ1RQ8PnjLzY9bV15ii_OX8KEe4j2a2K2XYgOWjfOPCg dOUTZOT24xEaWLjXCpKrY_VRlLwNuXVfMujbONFDE4XrCTigBWfwUzHKtVO4ZKcVx11S6CySmnffkTTl4P7hvGErLvIUc7 ophpN83YgwK4f01L0mPKsNo5NqDKMgXF0ONCgEPhA==-Gx4AAAQccmiptINUUAtSyCa66I3zQN4Y WRVY5yNThw=

http://www.newtourshare.com/Tpx3e95d Go7WIwPyTx6e9RKKe3YFuBXJtVoAoeFLiuGuH9fT3CTKQ dS007iT5jPPmKE2eMRp8NxE3Foi2Ax8Llnxf7LdO6EAH3bGRLuRPSXg8hM0_eJZR8SKCy6hsMm2tEKCOqoxo_VXCjidduambcxh2cNtKf0xXeblSFm1wQO2u0X2EXTq_nSlHf RPB jsUtTQX_SvZmkjoeh0mDhTcPj0MSd 3EheSuyBqDtDI_tfIE8Uz5Plkk8ohcNmk1GjnMwX0kx5zskjchl_xeVPRT1Zr3wJA7hqVtxY1gDFxbwnwGLw95Kg4OkUaM1Ty3jwuT1FrtCT8AYqU_mMuQTpBguzOWw==-Gx4AAAQccmiptINUUAtSyCa66I3zQN4Y WRVY5yNThw=

http://www.newtourshare.com/OpOUkf7CIX4mlU_yb7SLwafGdUWEDwmvTp_kBxYowm7TZ45nJZA8RuKrKl27x8zZo8gkEzsI3tvYrBvbVPHagMs1SZEp5bKbS59w6zqAy6AO0QCW7o5WfzLyjpaWL62wL5Is5P7Xl5tpULS_NIrKo7QyuyQ aHd7oF7GrJGUzpageeNqldCLMbvbJ066K16umHnJwbnjjM84JgtHvqo5X4TvKdCMnCXM2zUJssz8K2we0Zx_vlwfRwlHvlBLpZTY14W7ZJt RwTkuNT2VbHEENlOpr1yfOpeZX0jYJ0l91J0R4GLJQA3 HNrFghGnzhfoald1wjPqwrF0y2sd4TG3pXU5QSjyQ==-Gx4AAAQccmiptINUUAtSyCa66I3zQN4Y WRVY5yNThw=

http://www.newtourshare.com/ehGin7sOM6XZuVZ1kiwqrAKUPoEQlVUsX4WSzCk_TwoNmzKoZ4C_DA9wBZfbwYgdwEGjQXa55YFRBuZ49J3xFqnjFyGZsqR2w6s7z7mJITskJHzetMJA4qVOczzYh72z5rZHEbdPdCQsQNsYuHuuYu8B7WA7m5rXdkPGG qPxxLJNrFCrN5NQGNCCXi9xC4D4CJ5aCWTfblm9hTR2uBRhJwSSPuOjbTWQOY_DB3w6cCIsM4fV_HgnbLaOnDneW VBDyES9SffuK uKcIKe6F5A7pUTeMiKuUQMaGYGEhid3pO SP9yKTZ9Rq10a4KyP6D0_gl0nQZJIZtoYtSSpvQENq2xRs6Q==-Gx4AAAQccmiptINUUAtSyCa66I3zQN4Y WRVY5yNThw=

http://www.newtourshare.com/eM985FhCZGn_EGKC4Mi8UZMzdtw0n7t7SZq2hkY3laN5H5aHCq884wadWtnL3aclKBRGlkVEr9aZNlsFJuGKEH8iUhNdwWsitOvKYxG3udghbEQCrvZtyf7GB8x_YSYcjKKRoxvDIyRyfcJppUzp7NlcA0n0qm3jdhW_Q2d9xDmYaiqEAyND4iXBN1z9gn1h7LQzARPa3S3jGLrN ZJU3uoxaqiW9_O2Q jxrclmiIHRvGqJd6ZqcDyldgDQJeM3mUZpZuoMgXzO9S3Hb77EAq49naOZdNagIHN MIA9Po5AmGce6MPd91N1pCvMHALkk73FUS0PQ7SFV0p2j1UegwbP_60MMQ==-Gx4AAAQccmiptINUUAtSyCa66I3zQN4Y WRVY5yNThw=

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

Remove icreinstall_sai-rus-pack-1.1.0-f1.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.