reimagerepair.exe

Reimage Repair

Reimage Limited

The application reimagerepair.exe, “Reimage Downloader” by Reimage Limited has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from 172.19.66.39 and multiple other hosts. While running, it connects to the Internet address vip080.ssl.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
Reimage  (signed by Reimage Limited)

Product:
Reimage Repair

Description:
Reimage Downloader

Version:
1.527

MD5:
6938646b6df01137c04c9273eee4d16f

SHA-1:
3e177d27b754ab353b9f3049335b62eda1ecc7f1

SHA-256:
1f0b26867c2c67031d64cff655e1f458b7f6b80ceb517b22888da6c1133dc255

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 11:46:31 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Reimage.Installer.Meta (L)
16.6.13.7

File size:
750.4 KB (768,400 bytes)

Product version:
1.527

Copyright:
© Reimage 2016

Trademarks:
Reimage

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\Documents and Settings\{user}\Local settings\temporary internet files\content.ie5\{random}\reimagerepair.exe

Digital Signature
Signed by:

Authority:
Symantec Corporation

Valid from:
5/17/2016 2:00:00 AM

Valid to:
8/17/2019 1:59:59 AM

Subject:
CN=Reimage Limited, O=Reimage Limited, L=Dasoupoli, S=Nicosia, C=CY

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
4320101ADF7A07C7405BC4433AE31FFD

File PE Metadata
Compilation timestamp:
2/24/2012 8:20:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:p0g83SkHh7773RT7E9Yzewxnl/NTO0gcCre50ET3cfE/KyZowelOq8wpc:Gx117bhE0pnlHX0EwfE/Pg8x

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file reimagerepair.exe has been seen being distributed by the following 5 URLs.

http://172.19.66.39/.../ReimageRepair.exe

http://103.1.138.136/cdnrep.reimage.com/.../ReimageRepair.exe

http://113.171.224.205/.../ReimageRepair.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to vip080.ssl.hwcdn.net  (205.185.208.80:80)

Remove reimagerepair.exe - Powered by Reason Core Security