bearshare.exe

Kodehoro

PlatformFlash (Alpha Criteria Ltd.)

The application bearshare.exe, “Kodehoro Setup ” by PlatformFlash (Alpha Criteria) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.repositorycontentfarm.com.
Publisher:
PlatformFlash (Alpha Criteria Ltd.)  (signed and verified)

Product:
Kodehoro

Description:
Kodehoro Setup

Version:
1.4.4.4

MD5:
9c3c8fb51571dd29515f24a649805be6

SHA-1:
9fc6ca5eeb3274f929c06b45264d49be4768557a

SHA-256:
1a65cd516dbd2ef8729ac8c39cba18da759fa8d6756c811510e9b2012aed06d7

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/23/2024 5:52:35 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCore.AC (M)
17.3.9.11

File size:
966.2 KB (989,416 bytes)

Product version:
1.0

Copyright:
Stub

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\bearshare.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
1/6/2016 3:49:33 PM

Valid to:
8/18/2016 3:17:41 PM

Subject:
CN=PlatformFlash (Alpha Criteria Ltd.), O=PlatformFlash (Alpha Criteria Ltd.), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11215691C3B6E032A08894E88B37F278AE4B

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xAA98

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 2E, 86, FF, FF, E8, 35, 98, FF, FF, E8, 9C, 9B, FF, FF, E8, B7, 9F, FF, FF, E8, 56, BF, FF, FF, E8, ED, E8, FF, FF, E8, 54, EA, FF, FF, 33, C0, 55, 68, 69, B1, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 32, B1, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, D0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, C2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, 24, 93, FF, FF, 8D, 55, F0, 33, C0, E8, 66, C5, FF, FF, 8B, 55...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
40.5 KB (41,472 bytes)

The file bearshare.exe has been seen being distributed by the following URL.

http://www.repositorycontentfarm.com/ZInKPguPC3r04k1cmGnvqyWVdsf1P0ma3UGbExLEbTjSnha3YVR8Yl2KFSZz2LP YlSn0wU8XNTmA9leB9fqnjQYotuBklTMt58EENcj3JrSUMHBIAb0hvsl0I 2vTS558bZB 6JW_OQWdgSKOD6XhjYdaqlNjKbSPq0h25jbB6q1IexfYuo05_zq0MIDAkc47TJ sw1zShjwHjf1MT8Hbgh9ZK0ylYk8MPmfurz5t0rv9y IKthpYaUxjyMpS7OfjHgK Pj1EEF8YKMP LBSFW_Ti0hpiJsdn7xA_P23it_AUoHkZ8kjdsvbtxw1aTsPUwnZv1dVTPFLCfRTNh1qNDksTP80Q9JkXpilOg94OxVMA4nSfuLp6Z_NgU3 UvySrOay_8nl_UMRw76XcLj6Tvc3wMVdwqmAUJu CtP_VI JGKOea15x0b_LTnlXuK3uWFzMTxVbpvQoDp3EM8qtPdZd3femNa MwgwYAqlWmPsMM__4w=-G3AAAES3 X2edlyj65QIKSENLKEmpw_qt95a8wcPOOdANxYe6gWHcGwGaxuTZu1VjsNdzwf5TGf3b72 y7uVU2E5SNwSpBy8lpDGYtVNGkAA

Remove bearshare.exe - Powered by Reason Core Security