primopdf.exe

Pibeha

LAM Proactive And Investments Ltd

The application primopdf.exe, “Pibeha Setup ” by LAM Proactive And Investments has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.sendbitsgrab.com.
Publisher:
Kat   (signed by LAM Proactive And Investments Ltd)

Product:
Pibeha

Description:
Pibeha Setup

MD5:
e15e9bcabd342ffbc4dbc473424c46bd

SHA-1:
44c249301c354b4dfc5347a782f4f98e006e2ed7

SHA-256:
e492fe99adae8ba6221f2399186cbf1a4e158eccd9b57cbe5017d40e3ac18b79

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
12/24/2024 12:57:21 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCore (M)
17.3.16.2

File size:
1.1 MB (1,200,912 bytes)

Product version:
1.4.0

Copyright:
Internet Web File

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Common path:
C:\users\{user}\downloads\primopdf.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
9/27/2016 1:32:19 PM

Valid to:
9/28/2017 1:32:19 PM

Subject:
CN=LAM Proactive And Investments Ltd, O=LAM Proactive And Investments Ltd, L=Herzliya, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE

Serial number:
48A70B6CBCEF24E4DCCED5ED

File PE Metadata
Compilation timestamp:
6/20/1992 1:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9725

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file primopdf.exe has been seen being distributed by the following URL.

http://www.sendbitsgrab.com/uj9VxrRX2eR dQJfFsE5qcVlUUybuTBpgrNTaA2VfispbETrGuraZ9WY4GtaaNECEa_l_tqe1iPiBepJadIT60vdB68e8LySOsoT8SnARqf9CvhitLhkBpQY5R1JQtl_cA9hOySL4FkLKpHERlQNO2o02VThQ6LijXVMaP1 eFEH26Y84hUkDCL5cNsNlb_Qrp3eH SzyXT7e4qB_FKCBmVtcRMHTrzgxBpJsh1eTh5tb5L5FMok5xBXGMkMKbpqQ_bnC3vfDz 7SFrpojo2byNrcZS3 JBhGzIwkBsMoK bo4B6CPQXJmKnxjvwJzgG_IcvNmg2Z2BPwUr4bML6jjCjsuPSC1wGK6Rh22CDdZQQzbE95nP5mPk p5iwZymHvdRTOpWFknLeyS MA0PEhIyzrtWCXCRQ9voboAqK5o8do1YsL8cuwnDzWzwWiGcarpQR7wuRrbaZbb8vs8_R0eDsZrkJ7OMzeWd3OKVF 48nDVvDw6pSgAUP 2jlbAQuifLeRWmpKi8zVnj_7GIffXSkVwboUQ==-G24AAORte69pY0lrSpSVwxRLpxw4tLICySSnw0E3Fh7qDw5BbAa5jU8PUfO54DAUnQfy0Zzcv7b8Ss8yBqNEL8IpQVMRZ5rRyt25QEEG

Remove primopdf.exe - Powered by Reason Core Security