» prepreinstaller_win.exe
Overview
Analysis
File Details
Downloads (6)
Network (7)

prepreinstaller_win.exe

The application prepreinstaller_win.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from ddnmom68doto5.cloudfront.net and multiple other hosts. While running, it connects to the Internet address server-52-84-246-99.sfo20.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

MD5:

9bad3f3ea94dd95bb54d16390ff7fb41

SHA-1:

96f5e4ce6db03aa2301167a68c5b51c1cd1b5e27

SHA-256:

d0970fb8e859c22b22b7d2a49d307a29800571cbc624424a9654459c4939bf82

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

11/25/2024 1:02:07 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Adware.Imali

16.3.30.7

File size:

250.5 KB (256,512 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\prepreinstaller_win.exe

File PE Metadata

Compilation timestamp:

3/30/2016 10:12:05 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

6144:7SV6hdestkR3VIZQf/4ekrnfDdVKlxpeE7JKrE+:7SIYstavfRw7TspeEVKrE+

Entry address:

0x12143

Entry point:

E8, A8, 3A, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 90, A5, 42, 00, E8, F7, 1B, 00, 00, E8, DB, 1F, 00, 00, 0F, B7, F0, 6A, 02, E8, 3B, 3A, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 1C, 2F, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Code size:

124.5 KB (127,488 bytes)

The file prepreinstaller_win.exe has been seen being distributed by the following 6 URLs.

http://ddnmom68doto5.cloudfront.net/prepreinstaller_win.exe

http://d3usuw9km7baib.cloudfront.net/prepreinstaller_win.exe

http://113.171.224.207/.../prepreinstaller_win.exe

http://d172h6aeftm6ez.cloudfront.net/prepreinstaller_win.exe

http://drz8jtr1e8te9.cloudfront.net/prepreinstaller_win.exe

http://d6uonlik8at7j.cloudfront.net/prepreinstaller_win.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-52-85-83-27.lax1.r.cloudfront.net (52.85.83.27:80)

TCP (HTTP):

Connects to server-52-85-77-254.lax3.r.cloudfront.net (52.85.77.254:80)

TCP (HTTP):

Connects to server-54-230-141-126.sfo5.r.cloudfront.net (54.230.141.126:80)

TCP (HTTP):

Connects to server-54-192-230-128.waw50.r.cloudfront.net (54.192.230.128:80)

TCP (HTTP):

Connects to server-52-85-83-79.lax1.r.cloudfront.net (52.85.83.79:80)

TCP (HTTP):

Connects to server-52-84-246-99.sfo20.r.cloudfront.net (52.84.246.99:80)

TCP (HTTP):

Connects to server-52-84-246-162.sfo20.r.cloudfront.net (52.84.246.162:80)

Remove prepreinstaller_win.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.