icreinstall_z-zipsetup.exe

Tamonohub

Colifile SLU

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_z-zipsetup.exe, “Tamonohub Setup ” by Colifile SLU has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The file has been seen being downloaded from www.headbundlesfarm.com and multiple other hosts. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Publisher:
Colifile SLU  (signed and verified)

Product:
Tamonohub

Description:
Tamonohub Setup

Version:
3.1.2.8

MD5:
567b9e0cdc0c0b1ec88aa4323729f034

SHA-1:
f37343740995b30ce946202209831d20067c1024

SHA-256:
20a9dea9e465ab3b07936731e38ffea4a05946e66a3d843d8c59d696f1d9ad7e

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Utilizes the InstallCore download manager that may bundle various adware-type offers.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/26/2024 6:11:32 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore.Colifile.Installer (M)
16.5.18.18

File size:
923 KB (945,200 bytes)

Product version:
4.4

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_z-zipsetup.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
11/18/2015 4:00:00 PM

Valid to:
11/18/2016 3:59:59 PM

Subject:
CN=Colifile SLU, O=Colifile SLU, L=Guia de Isora, S=Santa Cruz de Tenerife, C=ES

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
1D8228BD3D6A0EADA24B1453F4593406

File PE Metadata
Compilation timestamp:
6/19/1992 3:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:tFbTot2VMlcSGBBMFkTahVXQ2vnlkRE5EsPh09ilMQ:fBVjB3TCXQ29kR9sPeQ

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, BF, A9, FF, FF, E8, 5E, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.9330

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file icreinstall_z-zipsetup.exe has been seen being distributed by the following 12 URLs.

temp:Z-ZipSetup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_z-zipsetup.exe - Powered by Reason Core Security