» icreinstall_itunes6464setup.exe
Overview
Analysis
File Details
Downloads (4)
Network (2)

icreinstall_itunes6464setup.exe

Bof

MaxSpeedy (New Media Holdings Ltd.)

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_itunes6464setup.exe, “Bof Setup ” by MaxSpeedy (New Media Holdings) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The installer is marketed through download protals and search ads as Apple's iTunes but will also install additional software offers which include adware, PUPs and browser toolbars.

File name:

Publisher:

MaxSpeedy (New Media Holdings Ltd.) (signed and verified)

Product:

Bof

Description:

Bof Setup

MD5:

d44e251482e5a47e9a4a784ef20dc0ce

SHA-1:

304db3a5b291ef62595e744b6332fd4fb7653917

SHA-256:

845de28b2d9685dc336a0f642b4409d3197d80dec4105711ea31c0562ad49bb8

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

12/26/2024 2:44:59 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.NewMedia.NMH (M)

17.1.19.3

File size:

1.2 MB (1,300,600 bytes)

Product version:

5.7.8

Program Stub

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore (using Inno Setup)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\icreinstall_itunes6464setup.exe

Digital Signature

Signed by:

MaxSpeedy (New Media Holdings Ltd.)

Authority:

GlobalSign nv-sa

Valid from:

3/17/2016 9:51:50 AM

Valid to:

7/11/2017 8:58:16 AM

Subject:

CN=MaxSpeedy (New Media Holdings Ltd.), O=MaxSpeedy (New Media Holdings Ltd.), L=Tel Aviv, C=IL

Issuer:

CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:

11212FE10B66405450F8589452B67C5B288F

File PE Metadata

Compilation timestamp:

6/19/1992 4:22:17 PM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0xA5F8

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55... 
[+]

Entropy:

7.9849

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

39.5 KB (40,448 bytes)

The file icreinstall_itunes6464setup.exe has been seen being distributed by the following 4 URLs.

http://www.bestbundlelaboratory.com/luLVNauWzGjCIpB0kks0F_hrson2II0cG4a1VRIJNf ccBM9eAMdphIFNR48 J2PQ GGnGU1oKzSX_ZJy G4OfqVgGPKuhahIuWYW1polKyxprJ0PTAMV1EOtLJb24QSJ65dHxukYqwnceoGpbNNuEVCuBOv3vIj6gFqD4aZl6PCA7XMhyZY61UVZLDd1db9 RjkAJOoAEFeVvaIdPx8tDyKnG_GwH0Q8jpSof7omZ9EyAZQv789whrKMVQOpkAw1kdHpX fHc4Ckxa5_sOq apKf0P1QM9lb_9qgaIK8kHke32aZ66duT9QizTxIUGlLRwl3m 1zOi5FVB4e5WfmqIdKDC14ExNSGdAFqZAwy8O4OCZsrjZGzrqXzEZ2_rEc2rrDo1cxAZBTYE5HB7UvHy66RNd0C99R8ZbshjZ0ccFZrz81oDXV55 SvZ5yEdzE5y_OG3Ny2fOXV4LD2NpN3n6OJduEm7hHyAPuzIcxFRHHFuaFXzLAqtVJ3cLQTX8gr604IHmgwH0iNxKWOM FdrMC3MIJu0i_NWudRf4kAHPoT27Z8mDS4MhW_HiHZOgYJGO4VFH-G3UAAOTwGtKtAhtkD9gJG3DgsiU2DoIDDjh4yEp4YTYi9_e9T0L2wLEh9TrXCGiSDcP9rM1FGSacglFEyj5_FWWUQQhMCe4d EQjUJoU GgZeJasYTl6EgIeKpGuhBKluZ8dNX8D

http://www.bestbundlelaboratory.com/5d285xMPswJ5GKszkE7BWmqQTkjlPHn0v87EBdqpd65bdDHEJ1 MmAyf0fayRXHEOoQeQnIrouPJx A7i09qylZ_Loek0KsWv16srGP9RFJOgF1nFKLllcmxPgSQJN_vucdftukqX95T0q9tpKli_fh8 mYlPTN5mLrmKkn4HKCZCa9RB7nvkI6aJxJWAFG4 N191hdzJW4QSDoGmZJvhMduwNmD 3lbpaWcgFS0PjLnsN2bEyqXLpdwE3V_JX02YOM4IFGvhTdbrgBXkch94B 8wTyg93Dqd7k6sNyzObgeFk0A8aP7 AIrlot1GkGMQwaAg8lw4n_Xhgyjig405d3AshvCJGKhhRytGyBhukMUV7Yx44PkpIWNFA82BCMbhmy_sypMRAolO90wEM LVuaX9dMxg7zpo_Q_4xvbO xYZu14QMp1XQ4L235yLCZ9_RpTLFcP2R8Ic4lo9 dS7Znoxxpi4NzLV8UBob3KMDx lUl5 Z6cqtvrHFxP7cf0uxEZV5C_qPYZ6s3lhiqtQGizhTVFqbSWq8ETDdz8GsLA7hU OffG9phFhkWwPyq7BKfWvoNU-G3UAAOTwGtKtAhtkD9gJG3DgsiU2DoIDDjh4yEp4YTYi9_e9T0L2wLEh9TrXCGiSDcP9rM1FGSacglFEyj5_FWWUQQhMCe4d EQjUJoU GgZeJasYTl6EgIeKpGuhBKluZ8dNX8D

http://www.bestbundlelaboratory.com/mU6fHsApJ gB9jfybOk 8lkIUYFtoV acLaSQdwD94OsOMGi14Ozm8GmnRHoBxfWqQIrU_TFRJHX6u_6i0tgzSBoVocrKJh9I3LlBz4OP MLZ CCslatOkauVrRz1QBQBvuHybdMAiR7VPUE94Pd3Y2k6tDF5iH013Akna2J4iNTK04xLYw0AerSgK8mJNr3XAiN6m3sy5j5XPETUreM1nfOt4LmlroSrkWwLswiNfb6K0LSDoOtW3MMdERZUCdcfLdhVS24eKAmddmkIheEiWaJry23enw853ba7DGZieEHJpnlngJ2nVUAdsLBMYK3Q8B9YsKwzi9ypu8SP2 0XLAzmkCGUw7o3SQeY_hCef2bog2PvrqqtGMQPekgOoAz57DV50_XLheU1U5oELBDXy5Uq1L5ylS5b42Io75zHT_FXBmBhl0eP3cK6J3Zoioqsh8seZGwGJQLYNBdePlFj8 Zqn1IngJOSVThNzOGi01GETLgZrgfUKZ68Om_EpcQThImfc3PAcgo_2AcSIFNSCoJVI893dLivkPaJI9_gEKOBlqlLP2Fr17uVQY zWF1PY1w29NA-G3UAAOTwGtKtAhtkD9gJG3DgsiU2DoIDDjh4yEp4YTYi9_e9T0L2wLEh9TrXCGiSDcP9rM1FGSacglFEyj5_FWWUQQhMCe4d EQjUJoU GgZeJasYTl6EgIeKpGuhBKluZ8dNX8D

http://www.bestbundlelaboratory.com/bqmNzjVYtGnXb6bWPZLCtCqU6a73Y 8Sy8JabLXDQ543aqWplvlnB7rSq3s2FEcn y R1jHdsqwwb6kXz7VjQaNSV0pPv7GCgMlqPeUjQX jkbkPb4mzO1vjP6VPL _EF_iAgRzROpmwyFOGGuStWriHprZmT9gnXLGvNYygKDuNTosaybUs0IcT576JZrzhAag8EbPWPO8zpyXjpc5AUTLJ_5KgVL57LKk8jFbc9fKDExCB2K0oENuiHhFsej3H1pKUFf6abXmBD KUSgslFUwg9uKcp1vV7ChHh9gwl2XvLbxMdyjXsw08nhWOBrLofysXR6efA_ckomBMWmPoFXJYWueoC5O4 5MSoNm75_q7lP1DwrO1l5ugDlBEi0MrJ5x8bSvgFFiqXF5ERgtB9NWrDNWzEjdBToqQnX81qFFf7Ldzp4Pt392OEr5hAlRWQXSUvtW6UzXIqNr3K5QZp6E9GZC70_bce3WA3ANhhba1rxLQDuAVwBWDNiVelWCNGg089nDKBd5q5s6FDZgMF6XcgVqCdppNT9EEtJzwTVLqakL1M7b14xyoc7ySyemF32_QI7t9-G3UAAOTwGtKtAhtkD9gJG3DgsiU2DoIDDjh4yEp4YTYi9_e9T0L2wLEh9TrXCGiSDcP9rM1FGSacglFEyj5_FWWUQQhMCe4d EQjUJoU GgZeJasYTl6EgIeKpGuhBKluZ8dNX8D

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to os.solvefile.com (207.189.109.121:80)

TCP (HTTP):

Connects to cdnus.solvefile.com (207.189.109.121:80)

Remove icreinstall_itunes6464setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.