icreinstall_bitlordsetup.exe

Codicit

House of Life

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_bitlordsetup.exe, “Codicit Setup ” by House of Life has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.safeguardupdate.com and multiple other hosts. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
House of Life  (signed and verified)

Product:
Codicit

Description:
Codicit Setup

Version:
1.7.1.5

MD5:
f65c9f5292636fa6b32c2222da28795f

SHA-1:
5a878db3b59a80b3cdc17455db8edb08d4729f5c

SHA-256:
90c7e4e0a6962fcf8e6c9276f8555bcca15620d1b4a61808b88e45b5914d90de

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
12/25/2024 6:35:13 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore (M)
17.1.10.8

File size:
1.3 MB (1,334,360 bytes)

Product version:
2.4.8

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_bitlordsetup.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
4/10/2016 6:00:00 PM

Valid to:
4/11/2017 5:59:59 PM

Subject:
CN=House of Life, OU=IT, O=House of Life, L=Sogndal, S=Sogndal, C=NO

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
0E8FFE1E4086A8FB13C069E8E8571F82

File PE Metadata
Compilation timestamp:
6/19/1992 4:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9801

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file icreinstall_bitlordsetup.exe has been seen being distributed by the following 4 URLs.

http://www.safeguardupdate.com/Rgjzq7UHolTpuIm0ttIR4UeWatfd5E9shQSEQ5OfjB0Sb JYFJk2SAmcMdvmko01YvBsNCdOef8pMy5dKn6Pt_tLHXgUnZL99xpfIY5 BEusu6tTmWIlW v7wXm2Vn0 L0TcFXUIJQpjdYOtK2_wQdEEcHYBYBPdOpxG3LWie4itLhMYznc kKjLYeZ6WfRbgONqQZLkTDKPOgC4xWLZn5zHmttpxsr7QwF1OphVRl5iHmww0KquonO1DKPCwEzC5zi9xaj-CxeAaHR0cDovL3d3dy5iaXRsb3JkLmNvbS93aW5kb3dzL0JpdExvcmRTZXR1cC5leGUD

http://www.safeguardupdate.com/5PnQx9AzHl2F__aiNX Hj9GPaMbSO7t8xRz771msm1729aRbhWAFsax666X6lhdeVX_7DzZS7DMlXcNatMYtbzMpudsplnmi6MG6ex837n_VjmsVrntMXhexuAI6p8vl Nzcj8pDeIvG4Y0fXRatuwrgbex uAnWVV x0BqtRFNr 7gpyiQePiFS_CaAVlc6dY_vP0aJS1mGApGt0uTpwXRKChUAt0N kEEe7oC9D_5byNi0VF7YuGN pzNuoZo8OAR_fccj-CxeAaHR0cDovL3d3dy5iaXRsb3JkLmNvbS93aW5kb3dzL0JpdExvcmRTZXR1cC5leGUD

http://www.safeguardupdate.com/eZ7_N5hR0A8_kW8hP3oayyWPFmdAFIqPl0q2a_IUZyf6AEXEKX3sZVyRT BZLyDyZQOdQwlFcr9I2Pp4s10uK1YukHUS4iX2298rwQ2i3E5My5sEtuCGYA7P41vimsVrgkqgOoofzK5LSRA4poPnedmSFZi 507_gzYg Svrbkz9uuK75rgyK4gAeIZBa3BR c89NLZ4hHxThCfV8IEg T1IBiZhC 9gF3tUC9499YDYOpRWzyXbHToze3Oiez9alSMSX5nn-CxeAaHR0cDovL3d3dy5iaXRsb3JkLmNvbS93aW5kb3dzL0JpdExvcmRTZXR1cC5leGUD

http://www.safeguardupdate.com/QxewGGXDJr7zXgLussyUIgmSKTerqDEzL4ytfyie2TS xcAg_BHgWXnpkkolbeKuDn_OjrTlpzEkHPJ6YCWsDDeQxRotNF6zE2tJ_qxA71KwdcB_tBgVK EjziEvXyLke6rk1ZDsFbWWYFxqNCrEBA8 LL9qC8eq8kwfOvfw0zYc2GOfGbHUcGMxZE8 hD1oOi8M nh2Ek1HBDgLQINtlLqQy438YUluiHCb9INpa2TbnU6oZ4fBXvW7gMqFor4syoA2 q 4-CxeAaHR0cDovL3d3dy5iaXRsb3JkLmNvbS93aW5kb3dzL0JpdExvcmRTZXR1cC5leGUD

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_bitlordsetup.exe - Powered by Reason Core Security