icreinstall_microsoft word 2007.exe

Lipipo

Ringier Axel Springer Polska Sp z o.o.

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_microsoft word 2007.exe, “Lipipo Setup ” by Ringier Axel Springer Polska Sp z o.o has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.bytesendclear.com and multiple other hosts. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:

Product:
Lipipo

Description:
Lipipo Setup

MD5:
13a4343d2c6fafc1ded5325874e43964

SHA-1:
6584ee9d2fe7494e4b44bb05a73e23c54c694f9f

SHA-256:
47d97627517e360e6c454c16e0ea1f313726ada0606486cec46a2906bb70c735

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/26/2024 5:53:29 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore.RingierA.Installer (M)
16.4.14.1

File size:
981.5 KB (1,005,080 bytes)

Product version:
3.2

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_microsoft word 2007.exe

Digital Signature
Authority:
thawte, Inc.

Valid from:
3/9/2016 1:00:00 AM

Valid to:
6/9/2017 1:59:59 AM

Subject:
CN=Ringier Axel Springer Polska Sp z o.o., OU=IT, O=Ringier Axel Springer Polska Sp z o.o., L=Warszawa, S=mazowieckie, C=PL

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
557243849A8D8DD9D7B27195479D3647

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:/hSbYQeXL0gjjQAJ6WNiLiBBLB6wK9q3Z9OfS:/0EQ6L0+jQ+6QiLoRB6wK9mXd

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file icreinstall_microsoft word 2007.exe has been seen being distributed by the following 50 URLs.

http://www.bytesendclear.com/WVl6OTRQVzlyZWtsVGRHUnNlSFppTlhkUmVHOGxNa1pVVVZabVMxQlFSbXA1YVRjMmVXNU1aMDFvUkRsRlVISlljeVV6UkNaalBUQjJKVEpHUVRKb1UyMVFiV2sxWlZSdVJHWmFPWGxGVkVkeVNqQnFkVGd3VnlVeVFsQnVTazluTVZVemVHOVJOR3RTYURBNFRFdE1TMEZRV0dVNFREZHBRMUZTTTFGUk9YSmhhSEpzYlhSYVdsZzBObU5GYVc0Mk5YUjRNM2g0VVdjMVFsQlRSVlZQTVc1cWFqRjBUbVJwVjB0M1RuaExPVUpDV2s1SmNqaGFTM3BwUlU5RU1GVm1hRE5QY1ZneWJFUTNaVXhaUlVoamRYY2xNMFFsTTBRbVpUMHhKbVpoYkd4aVlXTnJYM1Z5YkQxb2RIUndKVE5oSlRKbUpUSm1aRzkzYm14dllXUXVhMjl0Y0hWMFpYSnpkMmxoZEM1d2JDVXlabUpwZFhKdkxXa3RjSEpoWTJFbE1tWmxaSGwwYjNKNUxYUmxhM04wZFNVeVptMXBZM0p2YzI5bWRDMTNiM0prTFRJd01EY2xNMlpoYkhSVVpXMXdiR0YwWlNVelpHUnNWWEpzVjJsMGFFdHpVR3gxYzBkcFpuUklkRzFzUm1sc1pTWmtiM2R1Ykc5aFpFRnpQVTFwWTNKdmMyOW1kQ3RYYjNKa0t6SXdNRGN1WlhobA==

http://www.towershostingtour.com/WVl6OTRQWGx3VUhCRlNubENWalJZTTBJbE1rWktOak5XY25wNlMyNDRKVEpDYUV4WFFtOUxSakJvZGpRMWJtSnVXWFZySlRORUptTTlSeVV5Um5rMGNYWXlaVzF6ZDB0UGVsTk9OSGMyYTBzbE1rWTNUek5DYzFac2FHbzBhSEpIWVhwWU0zQm1UbVkxVEdSbVkzTnZPVFlsTWtaU1ZVRlhjbFZJYVhCMWFVUkJWRnBYTnlVeVJrMUNSRGhGVlVoVWVGTnRaVkZHZFZZMGMxazVibE5uUjBWRlZIQWxNa0kwVTJkaFRrbHFOVzBsTWtaWlowbEtObGR1UVdsNFQwNVNaR0pJYTJGWlVtSllRMjlYZUhGM2EyRjJabTl2TTNwakpUSkdTbWNsTTBRbE0wUW1aVDB4Sm1aaGJHeGlZV05yWDNWeWJEMW9kSFJ3SlROaEpUSm1KVEptWkc5M2JteHZZV1F1YTI5dGNIVjBaWEp6ZDJsaGRDNXdiQ1V5Wm1KcGRYSnZMV2t0Y0hKaFkyRWxNbVpsWkhsMGIzSjVMWFJsYTNOMGRTVXlabTFwWTNKdmMyOW1kQzEzYjNKa0xUSXdNRGNsTTJaaGJIUlVaVzF3YkdGMFpTVXpaR1JzVlhKc1YybDBhRXR6VUd4MWMwZHBablJJZEcxc1JtbHNaU1prYjNkdWJHOWhaRUZ6UFUxcFkzSnZjMjltZEN0WGIzSmtLekl3TURjdVpYaGw=

http://www.bytesendclear.com/WVl6OTRQVWxNYjBjeWFFUnRiVXhqUXpFM2NIZ2xNa0pCYmtseVdYWjVkMlpLY2xkMk4zVTNjbGszVDFKMmNqUkZRU1V6UkNaalBXazVRa3QyZFc1SFptSlFkM0E1YWxJMFVuTlJTMUpDWkRrNVJISnJXVzF4T1d3bE1rSmxVMnByYjFaaFdVZElaMFZaU2pGcVpuZDBlV2xCTkZnbE1rSkhjazVNUWpJMlVFWklaVlpKU1VGUk5WcHBkbGczSlRKQ1FqRktTWEZYUTNOeE1WaDFNRzFQWkRsUE1XZHJaelZDT1haTlQwVnRSelJ0UVc0eVRWcHdlV280WkRjeVJWQkxUaVV5UmtwdE1qbG1XWG8zWkRSdFpFaHRlSGwzSlRORUpUTkVKbVU5TVNabVlXeHNZbUZqYTE5MWNtdzlhSFIwY0NVellTVXlaaVV5Wm1SdmQyNXNiMkZrTG10dmJYQjFkR1Z5YzNkcFlYUXVjR3dsTW1aaWFYVnlieTFwTFhCeVlXTmhKVEptWldSNWRHOXllUzEwWld0emRIVWxNbVp0YVdOeWIzTnZablF0ZDI5eVpDMHlNREEzSlRObVlXeDBWR1Z0Y0d4aGRHVWxNMlJrYkZWeWJGZHBkR2hMYzFCc2RYTkhhV1owU0hSdGJFWnBiR1VtWkc5M2JteHZZV1JCY3oxTmFXTnliM052Wm5RclYyOXlaQ3N5TURBM0xtVjRaUT09

http://www.bytesendclear.com/WVl6OTRQVEY0U0VOT1JITnVZMjVWV0RGbGRsRmxNVGRwUkdsbVJrZHdTRzUxWTNkbFMwOVJNVXBzUW1KUU1rMGxNMFFtWXoxR2NXaEhhVkV4VnpjM1RVSlhkbXR0TjJwVGVYTmlkV2wzUkdaeFNEWlVRVWxrZW1rbE1rWjJWVWhLV2sxTGVpVXlRbFowZEZsdlkxazFlWGxWU1ZRbE1rSlFkRUpDUmxSNk4yZ2xNa0ppVkdsM1J6QkNZVzVJZVRSQ1VtcGhXRE5LVVRKcGFreGFNalJPYmtnbE1rWk9TelJJUjJOUWNreFFhekJSTVU1WmJrUm9XWHAwVms5RFlVUXlhVUZ5ZFhoMlF6ZHpUVFJNTmxGbFdrUjRjRzFuSlRORUpUTkVKbVU5TVNabVlXeHNZbUZqYTE5MWNtdzlhSFIwY0NVellTVXlaaVV5Wm1SdmQyNXNiMkZrTG10dmJYQjFkR1Z5YzNkcFlYUXVjR3dsTW1aaWFYVnlieTFwTFhCeVlXTmhKVEptWldSNWRHOXllUzEwWld0emRIVWxNbVp0YVdOeWIzTnZablF0ZDI5eVpDMHlNREEzSlRObVlXeDBWR1Z0Y0d4aGRHVWxNMlJrYkZWeWJGZHBkR2hMYzFCc2RYTkhhV1owU0hSdGJFWnBiR1VtWkc5M2JteHZZV1JCY3oxTmFXTnliM052Wm5RclYyOXlaQ3N5TURBM0xtVjRaUT09

http://www.bytesendclear.com/WVl6OTRQU1V5Um1rNWNVZFdXRkZTUjJOS09FUnVORWR6UW1zMVptdEtWakU0Wm1oR01DVXlRbkJTYm5sSVJWZE5VM1ZuSlRORUptTTlPVkI1Y1VWb09HRmhlbTUwY0RWM09YZFBZbFpUZG5ONlQwMVRTMWRXVWpJeFpWQlZTMDFHYjBGcVZUVTFkWE52UW5GcFYzSjVWRGhNTlZkaVMzQlZaRU5oTjNWaFNVOW5VR2hPY0VWd1QweHFUelY0ZFhSTk5teEJiU1V5Umt0RFVHNVhlamhPUjNSNlRGVXdObE4zYzFKMmRteEdhalZxZW1Sbk9IRnRSMHgzVXpoNVRsRm9ZMjh6WjNsVE56RnFaRlJyUWtkNVFVRWxNMFFsTTBRbVpUMHhKbVpoYkd4aVlXTnJYM1Z5YkQxb2RIUndKVE5oSlRKbUpUSm1aRzkzYm14dllXUXVhMjl0Y0hWMFpYSnpkMmxoZEM1d2JDVXlabUpwZFhKdkxXa3RjSEpoWTJFbE1tWmxaSGwwYjNKNUxYUmxhM04wZFNVeVptMXBZM0p2YzI5bWRDMTNiM0prTFRJd01EY2xNMlpoYkhSVVpXMXdiR0YwWlNVelpHUnNWWEpzVjJsMGFFdHpVR3gxYzBkcFpuUklkRzFzUm1sc1pTWmtiM2R1Ykc5aFpFRnpQVTFwWTNKdmMyOW1kQ3RYYjNKa0t6SXdNRGN1WlhobA==

http://www.bytesendclear.com/WVl6OTRQV3g0YVRaV2VHdFRUMmRXYzNVbE1rWXdhVGhIVEhCblEwVnZjMVZoUlV4eVExUkxiVkZrTmtZd04yaGtaeVV6UkNaalBWUllaWHBrUzFCcGNpVXlRbWRxVEVaUmRURndPVmxxU25kTVYwZFdOREZGWmxOT1IxcEJTWE5VVTJ0VE1YbFJlblJ1YUc0MGJuTjRVamh3YldwSWJUbDNlbUp6Y25GMk4yUmljMk14ZVRWdk1rOUdTbUpEYlZKS1dHdGpXVTlTSlRKR1NWQlFTa1pUV2pSaGQya3hNWFo0YWlVeVJsZFRXSGR4WlhjbE1rWjBVMGxtU1ZaRk9FVnlWRlF5WjJrbE1rSmlOVzh4U2twdmMwcFJjWFZRUlhjbE0wUWxNMFFtWlQweEptWmhiR3hpWVdOclgzVnliRDFvZEhSd0pUTmhKVEptSlRKbVpHOTNibXh2WVdRdWEyOXRjSFYwWlhKemQybGhkQzV3YkNVeVptSnBkWEp2TFdrdGNISmhZMkVsTW1abFpIbDBiM0o1TFhSbGEzTjBkU1V5Wm0xcFkzSnZjMjltZEMxM2IzSmtMVEl3TURjbE0yWmhiSFJVWlcxd2JHRjBaU1V6WkdSc1ZYSnNWMmwwYUV0elVHeDFjMGRwWm5SSWRHMXNSbWxzWlNaa2IzZHViRzloWkVGelBVMXBZM0p2YzI5bWRDdFhiM0prS3pJd01EY3VaWGhs

http://www.bytesendclear.com/WVl6OTRQWEZIY0U0eVRVVkNNVEJIYjNKdGJXcG1ZMDQ1VTJZek9FcEJiVUZKVTJad09XTnhNWGhXVUVsRWNYTWxNMFFtWXoxSVUyaFVVV2xCVlV0d2VYTnRiVnB1UmlVeVFsRnVOekp0VFNVeVFsRlJUVUZpUjBSRFZHMUJaR2R3TmxCUFFtUm1iRmRGVkRSbk5rdzVSVWQxTjNVNFMwWTNRVUZhY1ZaSWIyRm5iMXB0V2xFeFdHVWxNa0kxU2paeFlVbElNREJaT0ROMkpUSkNTbnBTUm14TGNFdHpOa2x2TUhCTU5FSmtjRzFMUlNVeVFrNXRTVGRxSlRKQ0pUSkdlbmRrYkRoUWJVVnRjVzk0YjJZbE1rWTNaeklsTWtaelNUTlJjRkVsTTBRbE0wUW1aVDB4Sm1aaGJHeGlZV05yWDNWeWJEMW9kSFJ3SlROaEpUSm1KVEptWkc5M2JteHZZV1F1YTI5dGNIVjBaWEp6ZDJsaGRDNXdiQ1V5Wm1KcGRYSnZMV2t0Y0hKaFkyRWxNbVpsWkhsMGIzSjVMWFJsYTNOMGRTVXlabTFwWTNKdmMyOW1kQzEzYjNKa0xUSXdNRGNsTTJaaGJIUlVaVzF3YkdGMFpTVXpaR1JzVlhKc1YybDBhRXR6VUd4MWMwZHBablJJZEcxc1JtbHNaU1prYjNkdWJHOWhaRUZ6UFUxcFkzSnZjMjltZEN0WGIzSmtLekl3TURjdVpYaGw=

http://www.bytesendclear.com/WVl6OTRQV2huU1RsRU5sVTVlVkJOV25NMkpUSkdNamxSYUdkbGVXTnZTbTVQUjFWQ1lUQkxXbTF3ZVc4M2NFUk1VU1V6UkNaalBXdFNPSEp4VjJSTlQwaDBKVEpDZWtRemNtRk9XR1F6T0dwbFJWRlpjRzV2SlRKR2FEbDFka05HY0RsWWJVbGpUMmt4YzFSSVZHOUVhMUV5UWxoTFdsVkNSMVpqYjJGcldFbFdPRXB5V21GWE5WUXpTa042VTFZM01YUldZWGQ0VmxsSU9WTTNNbGQ0UTJoUk1YbFhXQ1V5UWxKTk5EQmpOMHRwUTFkUFpERnFWekl5UjFvelIwTm1iM2RLYTBremEzVXphMlF3SlRKQ1pGTjZjSGhCSlRORUpUTkVKbVU5TVNabVlXeHNZbUZqYTE5MWNtdzlhSFIwY0NVellTVXlaaVV5Wm1SdmQyNXNiMkZrTG10dmJYQjFkR1Z5YzNkcFlYUXVjR3dsTW1aaWFYVnlieTFwTFhCeVlXTmhKVEptWldSNWRHOXllUzEwWld0emRIVWxNbVp0YVdOeWIzTnZablF0ZDI5eVpDMHlNREEzSlRObVlXeDBWR1Z0Y0d4aGRHVWxNMlJrYkZWeWJGZHBkR2hMYzFCc2RYTkhhV1owU0hSdGJFWnBiR1VtWkc5M2JteHZZV1JCY3oxTmFXTnliM052Wm5RclYyOXlaQ3N5TURBM0xtVjRaUT09

Latest 30 of 63 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdneu.webfilescdn.com  (65.254.40.36:80)

Remove icreinstall_microsoft word 2007.exe - Powered by Reason Core Security