protectorpackagerr2016x64.exe

Reimage Protector

Reimage Limited

The application protectorpackagerr2016x64.exe, “Reimage Protector Installation Package” by Reimage Limited has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from 41.223.201.246 and multiple other hosts. While running, it connects to the Internet address vip080.ssl.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
Reimage  (signed by Reimage Limited)

Product:
Reimage Protector

Description:
Reimage Protector Installation Package

Version:
2.016

MD5:
782da72ac8ce4ebfe31406af63970578

SHA-1:
e48b565798c9b9ecf854af44fe00c615db7fc02f

SHA-256:
8334dd4057313f06c967de39adde27282254d36153ad47ab5df3ecaad3c68ddb

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
1/19/2022 10:07:25 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Reimage (L)
17.1.23.15

File size:
5.4 MB (5,692,384 bytes)

Product version:
2.016

Copyright:
© Reimage 2017

Trademarks:
Reimage

Original file name:
ProtectorPackage.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\protectorpackagerr2016x64.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
5/17/2016 2:00:00 AM

Valid to:
8/17/2019 1:59:59 AM

Subject:
CN=Reimage Limited, O=Reimage Limited, L=Dasoupoli, S=Nicosia, C=CY

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
4320101ADF7A07C7405BC4433AE31FFD

File PE Metadata
Compilation timestamp:
2/24/2012 8:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file protectorpackagerr2016x64.exe has been seen being distributed by the following 6 URLs.

http://41.223.201.246:801/.../ProtectorPackageRR2016x64.exe

http://172.19.66.40/.../ProtectorPackageRR2016x64.exe

http://113.171.224.170/.../ProtectorPackageRR2016x64.exe

http://172.19.66.103/.../ProtectorPackageRR2016x64.exe

http://ukrep.reimage.com/.../ProtectorPackageRR2016x64.exe

http://cdnrep.reimage.com/.../ProtectorPackageRR2016x64.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to vip080.ssl.hwcdn.net  (205.185.208.80:80)

Remove protectorpackagerr2016x64.exe - Powered by Reason Core Security