» icreinstall_microsoft-word.exe
Overview
Analysis
File Details
Downloads (4)
Network (2)

icreinstall_microsoft-word.exe

Dula

Contumar Empresarial s.l.

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_microsoft-word.exe, “Dula Setup ” by Contumar Empresarial s.l has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Solimba DownloadMR installer. The installer uses the Solimba download manager to push adware offers during the download and setup process. Bundled adware includes search and shopping web browser toolbars.

File name:

Publisher:

Feloruteb (signed by Contumar Empresarial s.l.)

Product:

Dula

Description:

Dula Setup

MD5:

0b1b16061146918c8bc82ebf7aa4226f

SHA-1:

c9f5f415d3be900aa97948531c2da85af29f489f

SHA-256:

ceec383dad6f41e8cd21d2e3a0ed2e3d9dfa619bc6b8f107bc7301aa37fb3dcb

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Uses the Solimba installer to bundle adware offers.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

1/13/2025 4:00:10 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Solimba.Contumar.Bundler (M)

16.5.20.18

File size:

967.7 KB (990,928 bytes)

Product version:

2.0.0

File type:

Executable application (Win32 EXE)

Bundler/Installer:

Solimba DownloadMR (using Inno Setup)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\icreinstall_microsoft-word.exe

Digital Signature

Signed by:

Contumar Empresarial s.l.

Authority:

GlobalSign nv-sa

Valid from:

12/22/2015 9:58:46 AM

Valid to:

9/24/2016 11:00:25 AM

Subject:

CN=Contumar Empresarial s.l., O=Contumar Empresarial s.l., L=Barcelona, S=Barcelona, C=ES

Issuer:

CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:

1121C3F1094CE6FD9B88C9B67F5FDD17327E

File PE Metadata

Compilation timestamp:

6/19/1992 6:22:17 PM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:AgvwA8dg3aojDzzx4mo93vRwuaTspoFuEOWvSldJDF1aggiD/:A8X0QaojDZ4HqDYpoAEOkIJDLagD/

Entry address:

0x9C40

Entry point:

55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE... 
[+]

Entropy:

7.9330

Packer / compiler:

Inno Setup v5.x - Installer Maker

Code size:

37 KB (37,888 bytes)

The file icreinstall_microsoft-word.exe has been seen being distributed by the following 4 URLs.

http://www.contentlaboratorynew.com/c?x=s3LilO/ZO/J2HMGrI/POT6YE54i1LOhMcfqKthYeZWA=&c=yPtUb52CAGwqTLiJpgxR9Q9esFSv4ckzwvXEjFKeQK/.../glRGpA9af78dyNHCBHIeitOfU&downloadAs=microsoft-word.exe&fallback_url=Fallback URL

http://www.contentlaboratorynew.com/.../itCfWu1Kcbpaj6pCPhksoIHIkg1SJ19jwkfaCY4WxtUhb1oumrL6Ad&downloadAs=microsoft-word.exe&fallback_url=Fallback URL

http://www.contentlaboratorynew.com/c?x=p9WAVPKg4L xas/P8DoPqnRbfXuhzHpWOmKzRF6DLu0=&c=T33n4jXTMKqTeeVpTGjTTbss7ywfHpeXBgsITgGVpZqjgcRJIaacXSMTrllJUXnyb32jrkjgPRzsxbJsmkvJWUfp0IADobsxN/.../NT&downloadAs=microsoft-word.exe&fallback_url=Fallback URL

http://www.contentlaboratorynew.com/c?x=HGMxFxdpbTZoHTVuIs40NYSoVucpCJ5ol4HXoV kdXw=&c=YlN3FC7xKE2FQ4N5CZmgvWhZhrLez3xpstwn7wPActDwN4Vdko7EA4NwfBuBMZx5oUIcQ GyHOZtgWiQQmZ8aJ3RihMsDyXFGmvY35zaueQyugu4H4PJYqpsEMOn9PHx&downloadAs=microsoft-word.exe&fallback_url=Fallback URL

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to os.solvefile.com (207.189.109.121:80)

TCP (HTTP):

Connects to cdnus.solvefile.com (207.189.109.121:80)

Remove icreinstall_microsoft-word.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.