home

icreinstall_z-zipsetup.exe

Tamonohub

Colifile SLU

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_z-zipsetup.exe, “Tamonohub Setup ” by Colifile SLU has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The file has been seen being downloaded from www.headbundlesfarm.com and multiple other hosts. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
Colifile SLU  (signed and verified)

Product:
Tamonohub

Description:
Tamonohub Setup

Version:
3.1.2.8

MD5:
567b9e0cdc0c0b1ec88aa4323729f034

SHA-1:
f37343740995b30ce946202209831d20067c1024

SHA-256:
20a9dea9e465ab3b07936731e38ffea4a05946e66a3d843d8c59d696f1d9ad7e

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/5/2024 10:29:43 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore.Colifile.Installer (M)
16.5.18.18

File size:
923 KB (945,200 bytes)

Product version:
4.4

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_z-zipsetup.exe

Digital Signature
Signed by:
Colifile SLU

Authority:
Symantec Corporation

Valid from:
11/18/2015 4:00:00 PM

Valid to:
11/18/2016 3:59:59 PM

Subject:
CN=Colifile SLU, O=Colifile SLU, L=Guia de Isora, S=Santa Cruz de Tenerife, C=ES

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
1D8228BD3D6A0EADA24B1453F4593406

File PE Metadata
Compilation timestamp:
6/19/1992 3:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:tFbTot2VMlcSGBBMFkTahVXQ2vnlkRE5EsPh09ilMQ:fBVjB3TCXQ29kR9sPeQ

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, BF, A9, FF, FF, E8, 5E, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.9330

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file icreinstall_z-zipsetup.exe has been seen being distributed by the following 12 URLs.

http://www.headbundlesfarm.com/c?x=LT7ZKu4CXQbqVJuITZG2rI/sHBbMEb v4nKdI1/qpdA=&c=3u0X4v2Yb9AVBX8h ZegwTGPlD FKlzJQLwnQXeKjoxQJN020yh1b Rajz7QGYcOju7e6R iY4vY/dm6IG4sbvippOhPktUXpdRervx3lFLA9UWYI kryFxMkRLakLIE&downloadAs=Z-ZipSetup.exe&fallback_url=http://.../Z-ZipSetup.exe

http://www.headbundlesfarm.com/c?x=A6PNvWq6ysVmq/yG7jSOErUG3GO0EIu69N9FwXXV1uA=&c=TRIY2Ghj1PK R9vnKqNa2mySNHeAknmOyDoIfMbXQF7fTCMF2xQ1pg2t LB9aMaabNFAF72x26FkwOzV7w7xuwjhW/elCvIRKq5v7ZszSdUkox8BWK0YT2C3SBywZj 9&downloadAs=Z-ZipSetup.exe&fallback_url=http://.../Z-ZipSetup.exe

http://www.headbundlesfarm.com/c?x=sFCx141W4dWzZJNzV973nYClfBITdgxgU2f463DibXU=&c=CbHC4aM8Uy/eV PsC69pagrjsdP8MNNVwCLdORTmblzkMMOXaqmm5BXiZo4X2uf 1OPzPgQd7s130oEFC5XOqOCIuuiA9v984Z0ZklASb3quzK1/UwXn fMdFG2TB9Mp&downloadAs=Z-ZipSetup.exe&fallback_url=http://.../Z-ZipSetup.exe

http://www.headbundlesfarm.com/c?x=UbVg8Mniado/nOKkyX TLCBvVbhLgPLZwkVpZ O2Na8=&c=RerYIsqcNK/NYhOkNTSZRBMOFWwEPae89L9PsyyMURqlEIIlcIH9ctEDwIjDBd56ftRgF2eR60hZU3X6F30B4HLcFF8RpTKKkg24SLFw66j0nLdVMlGvMsmQ ed6Osbr&downloadAs=Z-ZipSetup.exe&fallback_url=http://.../Z-ZipSetup.exe

http://www.headbundlesfarm.com/c?x=FVz rLSDf17U1a31ml2hETg5xQbXehbKhDseDLECHcY=&c=lYzJy/2 pfVbrgZxjAYfz68V9oqVNpMQNUMik4Vc6k7GXsz 1iArWwEKo5ZM6mCF6wTRCjmPuIck2gGZqBuCiQGjPZXtu78jQYHo2UOeFjX/ i HulmSGqTHl4323wR0&downloadAs=Z-ZipSetup.exe&fallback_url=http://.../Z-ZipSetup.exe

http://www.headbundlesfarm.com/c?x=OsnrqPS0fATWB0GM7vBjk9KPU7z7wOTsKB8H KdrPRU=&c=uXQxYc8Y3mr7d/m9YkxUQ3R3A2/MgQrqYHrunHGWx23 EmbQJ86MxYBqCDdjZy/UptpBbB cL3uFGYhDdJTVnLqjGWvDsNs9o49cTd5OGxP2qYItGQMGFa0/RZYI07xV&downloadAs=Z-ZipSetup.exe&fallback_url=http://.../Z-ZipSetup.exe

temp:Z-ZipSetup.exe

http://www.headbundlesfarm.com/c?x=BDqmLmUx2ewKrg/4O1QkA0eKIa26Qrl9rO2aRxsBLxM=&c=Lthn 3H0U35bEvXPOTSsAImmc0fbR6OXf2L6zoqoyFsSEWp9M9QnB02ka5I3XAbryCd8n/ms2Bhf/GIdd8qWsnx2CXpw9K HQlfrGuqdy1oGYOHay4NVph10h8AeqRUC&downloadAs=Z-ZipSetup.exe&fallback_url=http://.../Z-ZipSetup.exe

http://www.headbundlesfarm.com/c?x=Rq9dY MUyWoZ0csCAPjiUHHHPit5qY2yMcwszGxtC3Q=&c=IAcPPbnTqmhEXHSstckzMtn/REjH4t9ddFZyO PdwiyoKFtZn5/a3465GIDWretWhwfeLrU4HGvjHaBJvNyTPq yryc0PuzQ/acRx7MuROZx7/GvMnuflBcHi/56tvdM&downloadAs=Z-ZipSetup.exe&fallback_url=http://.../Z-ZipSetup.exe

http://www.headbundlesfarm.com/c?x=yWVUzyjF TpNc40HR75esdAfbvmdE6JIscl9NW1ibQE=&c=fs4IWM21yRnTias5psdPGszlU7rEPOgm3Rcb32w71/u5OhheVIYiOL2VPoeit3fvi2TzyzWldakzIlfreQkpVdDBBPci5VSmYYHw49fSctNysS0CLaZu203GkR81DIuK&downloadAs=Z-ZipSetup.exe&fallback_url=http://.../Z-ZipSetup.exe

http://www.headbundlesfarm.com/c?x=0KXgbHH8nVhUIsmgqL 3EaYk5QvzcxlTp6N5VBFS84c=&c=t2e/EURQK5aiSsVQoxncI EbEXWZNnCQOZ2In1pZdmPlZ 9i2b1 DAkmbYn4y/rfqCEsNqx2CsP3nHNNR0iycqCDkNgzQPnlySi SHPywH/VJZ8x4MJ2eVE6qyn 2Nc/&downloadAs=Z-ZipSetup.exe&fallback_url=http://.../Z-ZipSetup.exe

http://www.headbundlesfarm.com/c?x=39cBw2wKJxkoY7ET0yrk8Qvv6i4rogOmNMTTVNU9NdY=&c=R XvMPOFfPnBYf932X24aidO757OEsM 29RMtm5XlNWvomKfi E V fAhvJOorunavhtJdT7Dch8mIL2/A2S5Wt1RH/qIJ1uL8 GeVrmxa1Rupvp1y1DVDD/r6pu90Hc&downloadAs=Z-ZipSetup.exe&fallback_url=http://.../Z-ZipSetup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_z-zipsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.