home

icreinstall_bitlordsetup.exe

Bodatalege

House of Life

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_bitlordsetup.exe, “Bodatalege Setup ” by House of Life has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.farmcyclebundle.com. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
House of Life  (signed and verified)

Product:
Bodatalege

Description:
Bodatalege Setup

Version:
3.2.4.5

MD5:
e3325d7f11e378ba75b901a5c96d2664

SHA-1:
8c4371c202f80f1837070c2e49d08380c820a141

SHA-256:
51b7927a10501a6a597af1b576d6e4ea8d49a109211cf03c4872e006ccaa0d28

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/23/2024 5:17:42 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore (M)
17.2.10.1

File size:
1.4 MB (1,416,264 bytes)

Product version:
1.5.3

Copyright:
Web

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_bitlordsetup.exe

Digital Signature
Signed by:
House of Life

Authority:
thawte, Inc.

Valid from:
12/26/2016 4:00:00 AM

Valid to:
12/27/2017 3:59:59 AM

Subject:
CN=House of Life, OU=IT, O=House of Life, L=Sogndal, S=Sogn og Fjordane, C=NO

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
77DD66F8463792FF8C7544E4CE670D2B

File PE Metadata
Compilation timestamp:
6/20/1992 2:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9837

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file icreinstall_bitlordsetup.exe has been seen being distributed by the following URL.

http://www.farmcyclebundle.com/6Wj8aisqzRGM8nut_FgzmUB_TQZUxcIf7Zc8PHNSd8ZAKOwXzy5eMlNmep_cHLNNFpGxXaB OTxxfK8xpI9OXoKlO_Nthl4qbKF4o01yMtphluTWb6lJRhGnR9XzhKYalBuj yevKpo8XItFKm0RhMgc9rNnAzKpJR2b79NKxVtIoR5PeEplINmk2LdfReWU_wwR2uRMmwKc81HlXmYg ZNX5QgKTAAx4GI2ecWuX22kCqNfEtbYy1uoUp26xFtPi2N2HfNBVNHtp1gn1VnFeazBvb_tHw==-CxeAaHR0cDovL3d3dy5iaXRsb3JkLmNvbS93aW5kb3dzL0JpdExvcmRTZXR1cC5leGUD-e

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_bitlordsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.