reimagerepair.exe

Reimage Repair

Reimage Limited

The application reimagerepair.exe, “Reimage Downloader” by Reimage Limited has been detected as a potentially unwanted program by 10 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from RevenueWire's affiliate distribution platform newbuy.reimage.revenuewire.net and multiple other hosts. While running, it connects to the Internet address vip080.ssl.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
Reimage®  (signed by Reimage Limited)

Product:
Reimage Repair

Description:
Reimage Downloader

Version:
1.519

MD5:
cedd8609aa10b477e0cbbc024d540f96

SHA-1:
65c8e60d6fef926efedc039042dff9c728b0f3d6

SHA-256:
13dc44c8b21c7e93075f2903f5bf0515a61b5509c66265ad9daf6aa37d466708

Scanner detections:
10 / 68

Status:
Potentially unwanted

Analysis date:
1/21/2022 10:12:23 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Baidu Antivirus
PUA.Win32.ReImageRepair
4.0.3.15621

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Program.Unwanted.493
9.0.1.0172

ESET NOD32
Win32/ReImageRepair.F potentially unwanted
9.11821

Fortinet FortiGate
Riskware/ReImageRepair
6/21/2015

Malwarebytes
PUP.Optional.ReImageRepair.A
v2015.06.21.09

McAfee
Artemis!72CB31555DA5
5600.6727

Reason Heuristics
Win32.Generic.Reimage.Installer.Meta
15.6.21.21

Trend Micro House Call
Suspicious_GEN.F47V0520
7.2.172

File size:
750.2 KB (768,232 bytes)

Product version:
1.519

Copyright:
© Reimage 2015

Trademarks:
Reimage

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\hp downloads\reimagerepair.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
5/4/2015 8:00:00 PM

Valid to:
6/14/2016 7:59:59 PM

Subject:
CN=Reimage Limited, O=Reimage Limited, L=Tortola, S=Tortola, C=VG

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
42FA252C0EAB138AB118D98A1931718A

File PE Metadata
Compilation timestamp:
2/24/2012 2:20:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:70gt9CrJI+zeJe73RT7E9Yzewxnl9+pqNTO0gcCre50ET3cfE/KyZowelOq8O:4oQrJIWbhE0pnl/X0EwfE/Pg8O

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.9133

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file reimagerepair.exe has been seen being distributed by the following 26 URLs.

http://newbuy.reimage.revenuewire.net/.../download

http://cdnrep.reimage.com/download/.../ReimageRepair.exe

http://41.223.201.249:801/.../ReimageRepair.exe

http://s03.mydiv-downloads.net/download/aHR0cDovL3NvZnQubXlkaXYubmV0L3dpbi9kb3dubG9hZC1SZWltYWdlLVBDLVJlcGFpci5odG1s/ad48d/58065cd55ff59/soft/dfiles/ru/win/Reimage-PC-Repair/.../ReimageRepair.exe

http://113.171.224.242/.../ReimageRepair.exe

http://113.171.224.168/.../ReimageRepair.exe

http://113.171.224.206/.../ReimageRepair.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to vip080.ssl.hwcdn.net  (205.185.208.80:80)

Remove reimagerepair.exe - Powered by Reason Core Security