home

icreinstall_facebookunfriendfinder.exe

IronInstall

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_facebookunfriendfinder.exe by IronInstall has been detected as adware by 19 anti-malware scanners. The program is a setup application that uses the installCore installer. According to Microsoft Security Essentials, the software includes a bundle of the DealPly adware which is installed on a user's PC during setup using the InstallCore platform. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
IronInstall  (signed and verified)

MD5:
2f4edfc84fd9293936961d6ad3afac2e

SHA-1:
7041f55d9d4c05044207d18a7a0e324fff0d2f82

SHA-256:
5f41b1b8a55ac0c068a7af9eb77ffe963a30391b35f37a2e236399dc16b8e4b6

Scanner detections:
19 / 68

Status:
Adware

Explanation:
This software bundler installs other potentially unwanted software, including DealPly. Which includes offers in a user's web browser which state they are "Powered by DealPly".

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/6/2024 2:42:33 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/InstallCore.Gen7
7.11.115.240

avast!
Win32:Installer-I [PUP]
2014.9-131230

Bkav FE
W32.Clodb4f.Trojan
1.3.0.4613

Comodo Security
ApplicUnwnt
17343

Dr.Web
Adware.InstallCore.125
9.0.1.0364

ESET NOD32
Win32/InstallCore.CF (variant)
7.9100

F-Prot
W32/InstallCore.R2.gen
v6.4.7.1.166

herdProtect (fuzzy)
variant of icreinstall_fbfriendalert.exe (Adware)
2014.1.9.12

IKARUS anti.virus
Win32.SuspectCrc
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.174.10319

Malwarebytes
PUP.Optional.InstallCore
v2013.12.30.03

McAfee
Artemis!2F4EDFC84FD9
5600.7265

Microsoft Security Essentials
SoftwareBundler:Win32/DealPly
1.163.1557.0

Panda Antivirus
Adware/MultiToolbar
14.01.09.12

Reason Heuristics
PUP.IronInstall.c
14.8.7.18

Rising Antivirus
PE:PUA.XPACK-LNR!1.5594
23.00.65.131228

Sophos
Install Core Click run software
4.95

Trend Micro House Call
TROJ_GEN.F47V1005
7.2.364

VIPRE Antivirus
InstallCore
23768

File size:
600.8 KB (615,264 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_facebookunfriendfinder.exe

Digital Signature
Signed by:
IronInstall

Authority:
COMODO CA Limited

Valid from:
11/20/2012 1:00:00 AM

Valid to:
11/21/2015 12:59:59 AM

Subject:
CN=IronInstall, O=IronInstall, STREET=63 Rothschild Blvd., L=Tel-Aviv, S=NA, PostalCode=65785, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
2DC5BB8E9D823CD0C4F09AE859BBBEAC

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:1RkOyMJfsG66SGy54x5TkzDtJVjIvf/O4X2yIx5fgr0ecDOQ6eaUjBILmBBHgrFb:sOyMJfsxGy5M5ozNjaf/TpK5fA0sQ6eS

Entry address:
0x98CC

Entry point:
55, 8B, EC, 83, C4, CC, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, FA, 97, FF, FF, E8, 01, AA, FF, FF, E8, 2C, CC, FF, FF, E8, 73, CC, FF, FF, E8, 0A, F3, FF, FF, E8, 71, F4, FF, FF, 33, C0, 55, 68, 76, 9F, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 2C, 9F, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, B0, 40, 00, E8, 9B, FE, FF, FF, E8, 26, FA, FF, FF, 8D, 55, F0, 33, C0, E8, E0, D0, FF, FF, 8B, 55, F0, B8, D8, BD, 40, 00, E8, AB, 98, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, D8, BD, 40, 00, B2, 01, B8...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
36 KB (36,864 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

Remove icreinstall_facebookunfriendfinder.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.