home

icreinstall_fbfriendalert.exe

IronInstall

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_fbfriendalert.exe by IronInstall has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the installCore installer. According to Microsoft Security Essentials, the software includes a bundle of the DealPly adware which is installed on a user's PC during setup using the InstallCore platform. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
IronInstall  (signed and verified)

MD5:
03060463ee401dc402ece495c05099ca

SHA-1:
0b59dc4e524f8c97e83437081c5a63b3607cdbe1

SHA-256:
97b5a41a9958a4e66c31461aa258536abf43ed20047fdcac4449566c000b0096

Scanner detections:
18 / 68

Status:
Adware

Explanation:
This software bundler installs other potentially unwanted software, including DealPly. Which includes offers in a user's web browser which state they are "Powered by DealPly".

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/6/2024 5:03:56 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/InstallCore.Gen7
7.11.122.10

avast!
Win32:Installer-I [PUP]
2014.9-131222

Bkav FE
W32.Clodb4f.Trojan
1.3.0.4613

Comodo Security
ApplicUnwnt
17498

Dr.Web
Adware.InstallCore.125
9.0.1.0356

ESET NOD32
Win32/InstallCore.CF (variant)
7.9190

F-Prot
W32/InstallCore.R2.gen
v6.4.7.1.166

IKARUS anti.virus
SoftwareBundler
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.174.10623

Malwarebytes
PUP.Optional.InstallCore
v2013.12.22.09

McAfee
Artemis!03060463EE40
5600.7274

Microsoft Security Essentials
SoftwareBundler:Win32/DealPly
1.165.247.01

Panda Antivirus
Adware/MultiToolbar
14.01.06.06

Reason Heuristics
PUP.IronInstall.Z
14.8.7.18

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.131220

Sophos
Install Core Click run software
4.96

Trend Micro House Call
TROJ_GEN.F47V0815
7.2.356

VIPRE Antivirus
InstallCore
24746

File size:
600.8 KB (615,264 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_fbfriendalert.exe

Digital Signature
Signed by:
IronInstall

Authority:
COMODO CA Limited

Valid from:
11/20/2012 1:00:00 AM

Valid to:
11/21/2015 12:59:59 AM

Subject:
CN=IronInstall, O=IronInstall, STREET=63 Rothschild Blvd., L=Tel-Aviv, S=NA, PostalCode=65785, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
2DC5BB8E9D823CD0C4F09AE859BBBEAC

File PE Metadata
Compilation timestamp:
6/19/1992 11:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:1RkOyMJfsG66SGy54x5TkzDtJVjIvf/O4X2yIx5fgr0ecDOQ6eaUjBILmBBHgrFb:sOyMJfsxGy5M5ozNjaf/TpK5fA0sQ6eS

Entry address:
0x98CC

Entry point:
55, 8B, EC, 83, C4, CC, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, FA, 97, FF, FF, E8, 01, AA, FF, FF, E8, 2C, CC, FF, FF, E8, 73, CC, FF, FF, E8, 0A, F3, FF, FF, E8, 71, F4, FF, FF, 33, C0, 55, 68, 76, 9F, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 2C, 9F, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, B0, 40, 00, E8, 9B, FE, FF, FF, E8, 26, FA, FF, FF, 8D, 55, F0, 33, C0, E8, E0, D0, FF, FF, 8B, 55, F0, B8, D8, BD, 40, 00, E8, AB, 98, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, D8, BD, 40, 00, B2, 01, B8...
 
[+]

Entropy:
7.7211

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
36 KB (36,864 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

Remove icreinstall_fbfriendalert.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.