icreinstall_pivot_dnld_s_v2.0.exe

Motus Software Limited

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_pivot_dnld_s_v2.0.exe by Motus Software Limited has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from 127.0.0.1 and multiple other hosts.
Publisher:
Motus Software Limited  (signed and verified)

MD5:
415034d26494741b35955a041f42adfa

SHA-1:
f871b52cd32c6832479f2becafbb7a98bc209fc4

SHA-256:
22ecd0365aca5a4cf9707890f560a09cba5fbcb92ddcda325b09b5f8322c0600

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/26/2024 5:38:48 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
7.11.134.46

Dr.Web
Trojan.Packed.25266
9.0.1.061

ESET NOD32
Win32/InstallCore.IJ (variant)
8.9488

Fortinet FortiGate
Riskware/InstallCore
3/2/2014

McAfee
Artemis!415034D26494
5600.7203

Qihoo 360 Security
Win32/Virus.Adware.94c
1.0.0.1015

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14228

Trend Micro House Call
TROJ_GEN.F47V0129
7.2.61

Vba32 AntiVirus
3.12.24.3

File size:
599.7 KB (614,088 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_pivot_dnld_s_v2.0.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
1/2/2014 4:00:00 AM

Valid to:
1/3/2015 3:59:59 AM

Subject:
CN=Motus Software Limited, O=Motus Software Limited, STREET=27 Court Road, L=Lewes, S=East Sussex, PostalCode=BN7 2SA, C=GB

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
40EB5FB3525572FE6019E817FA7674D3

File PE Metadata
Compilation timestamp:
6/20/1992 2:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:cyMJfsG7JMYdLtYSc9Ru3+jejEAyKxYUU8aMmFPxS3nNtjDnC1TAwi:cyMJfs4JLtYSAu3+Kj1yye8TmTS3neBA

Entry address:
0x98CC

Entry point:
55, 8B, EC, 83, C4, CC, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, FA, 97, FF, FF, E8, 01, AA, FF, FF, E8, 2C, CC, FF, FF, E8, 73, CC, FF, FF, E8, 0A, F3, FF, FF, E8, 71, F4, FF, FF, 33, C0, 55, 68, 76, 9F, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 2C, 9F, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, B0, 40, 00, E8, 9B, FE, FF, FF, E8, 26, FA, FF, FF, 8D, 55, F0, 33, C0, E8, E0, D0, FF, FF, 8B, 55, F0, B8, D8, BD, 40, 00, E8, AB, 98, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, D8, BD, 40, 00, B2, 01, B8...
 
[+]

Entropy:
7.8196

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
36 KB (36,864 bytes)

The file icreinstall_pivot_dnld_s_v2.0.exe has been seen being distributed by the following 2 URLs.

http://127.0.0.1:37848/continue?TiCredToken=30697&Source=WTP&URL=http://dnld.ironcustapps.com/cust/.../Pivot_dnld_s_v2.0.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-208-40-227.eu-west-1.compute.amazonaws.com  (52.208.40.227:80)

TCP (HTTP):
Connects to ec2-54-232-222-104.sa-east-1.compute.amazonaws.com  (54.232.222.104:80)

Remove icreinstall_pivot_dnld_s_v2.0.exe - Powered by Reason Core Security