ReimageExpress.exe

Reimage Express

Reimage Limited

The executable ReimageExpress.exe, “Reimage Express Downloader” has been detected as malware by 1 anti-virus scanner. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from 41.223.201.249 and multiple other hosts. While running, it connects to the Internet address vip080.ssl.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
Reimage®  (signed by Reimage Limited)

Product:
Reimage Express

Description:
Reimage Express Downloader

Version:
1.041

MD5:
8f1f2b8c37c744c975b3b965ac741bbe

SHA-1:
65907c2ed37dc0529e5052f4c75542e5a0d999c9

SHA-256:
8616369725808f5ecc4cb66abba188efe4332b2af8d5f15bedd750681e31645e

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
6/18/2021 5:20:55 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Win32.Generic.Reimage.Installer.Meta
15.7.30.13

File size:
583.4 KB (597,384 bytes)

Product version:
1.041

Copyright:
© Reimage 2015

Original file name:
ReimageExpress.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\reimageexpress.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
7/2/2015 8:00:00 PM

Valid to:
7/1/2016 7:59:59 PM

Subject:
CN=Reimage Limited, OU=-, O=Reimage Limited, L=Nicosia, S=Nicosia, C=CY

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
0A7A59B65CF9058A3807F6D0AFC2EB84

File PE Metadata
Compilation timestamp:
2/24/2012 2:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:GEBLdpj09hgk1huEldRJs3eNcI8h2MbsalnYUhcs76:G4Ldpjghgk1hpRHW2M/GUhX76

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.8685

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file ReimageExpress.exe has been seen being distributed by the following 14 URLs.

http://41.223.201.249/.../ReimageExpress.exe

http://172.19.66.104/.../ReimageExpress.exe

http://111.161.65.90:81/1Q2W3E4R5T6Y7U8I9O0P1Z2X3C4V5B/cdnrep.reimage.com/.../ReimageExpress.exe

http://41.223.201.249:801/.../ReimageExpress.exe

http://202.141.239.75/cdnrep.reimage.com/.../ReimageExpress.exe

http://103.1.138.136/cdnrep.reimage.com/.../ReimageExpress.exe

http://113.171.224.214/.../ReimageExpress.exe

http://113.171.224.245/.../ReimageExpress.exe

http://113.171.224.168/.../ReimageExpress.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to vip080.ssl.hwcdn.net  (205.185.208.80:80)

Remove ReimageExpress.exe - Powered by Reason Core Security