home

prepenv_setup.exe

Genieo Innovation LTD

The application prepenv_setup.exe by Genieo Innovation has been detected as a potentially unwanted program by 2 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. While running, it connects to the Internet address vp-javadl.oracle.com on port 80 using the HTTP protocol.
Publisher:
Genieo Innovation LTD  (signed and verified)

MD5:
1f160edc96e081c1e823aa7cd94e2dd2

SHA-1:
33e11ccdbd22f6a31e4c54f03a3a2d2b7911148e

SHA-256:
c4f6d92e0d9899e5ae07309cb9640b9b0dd90286c7907fb15b57fe7cc1fee876

Scanner detections:
2 / 68

Status:
Potentially unwanted

Explanation:
Inserts ads in the web browser and modifies the home page. "Genieo Innovation’s Software may include advertisements, which may be targeted to the content or information on the Software, queries made through the Software, or from other information. You agree that we and our third party providers and partners may place advertising on our Software or in connection with the display of content or information on our Software." (EULA)

Analysis date:
11/23/2024 1:32:03 AM UTC  (today)

Scan engine
Detection
Engine version

Norman
Downloader
11.20141031

Reason Heuristics
PUP.Installer.GenieoInnovation.N
14.10.31.5

File size:
54 KB (55,296 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\roaming\genieo\application\updater\bin\prepenv_setup.exe

Digital Signature
Signed by:
Genieo Innovation LTD

Authority:
Thawte, Inc.

Valid from:
2/10/2014 1:00:00 AM

Valid to:
2/10/2016 12:59:59 AM

Subject:
CN=Genieo Innovation LTD, O=Genieo Innovation LTD, L=Herzliah, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
1B98BC775598D0C401E0D6CC4349529A

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
768:81cVhpQI2EQK0iPDh84nScF15GYbWjXO3XJeRRlqyjNLjEPotElMYXlKYX:aQpQ5EP0ijnRTXJe7tjtiotE6ylX

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to vp-javadl.oracle.com  (137.254.120.23:80)

TCP (HTTP):
Connects to a23-212-109-146.deploy.static.akamaitechnologies.com  (23.212.109.146:80)

Remove prepenv_setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.