home

ReimageRepair.exe

Reimage Repair

Reimage Limited

The application ReimageRepair.exe by Reimage Limited has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from cdnrep.reimage.com and multiple other hosts. While running, it connects to the Internet address vip080.ssl.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
Reimage®  (signed by Reimage Limited)

Product:
Reimage Repair

Description:
Installation

Version:
1.506

MD5:
90b50843caa26f2dd0b93e794f7a1885

SHA-1:
d8025fd26e01ce244ae91aae755a67d4867f684d

SHA-256:
1e7460eaf61b95b65342e33bc759aab1c0cb24cf27e91d681e938a6c0b84dd76

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 12:45:26 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.ReimageLimited.N
14.12.3.8

File size:
757.3 KB (775,456 bytes)

Product version:
1.506

Copyright:
© Reimage 2014

Original file name:
ReimageRepair.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\reimagerepair.exe

Digital Signature
Signed by:
Reimage Limited

Authority:
VeriSign, Inc.

Valid from:
3/18/2014 7:00:00 PM

Valid to:
6/9/2016 6:59:59 PM

Subject:
CN=Reimage Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Reimage Limited, L=Nicosia, S=Nicosia, C=CY

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3F75B6FA72B8CDE336A61550C70978D2

File PE Metadata
Compilation timestamp:
2/24/2012 1:20:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:N0gFaK2BJM75pRE9YzewxnK3RTo9+pqNTO0gcCre50ET3cfE/KyZ2welOq8c:aLzBKRE0pnmq/X0EwfE/P28c

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.9096

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file ReimageRepair.exe has been seen being distributed by the following 9 URLs.

http://cdnrep.reimage.com/download/.../ReimageRepair.exe

http://ads.adsrvmedia.net/event/click/0/FQ955xQ-GAvYYBXSMW9agRriI_5-jCekxmVplF9b89LTsENHF6cZbHfyR-BpUyhImH3WKDzrzBobjN0XuOOXYVCy9AkW7vB4ot_bb_HADTtYBhKBnbUu8jFs3Gx8-WHGnREC8F5mAj4O-2To3NHoaaORSjX4TdGuswzs-YvtD8_kyX3i4bwLoquIUENzybo-aDU_JEeFuNJf3G6Bh5Nbh4Bc3M1hwxRNpo1QR2prHfUEH2Do9F5qBb-EtXFc3lpEk4Mn2lV3iGKndMG0OT0Iu0W-bshDByTHhSt9Nl7xIuaicMmHWoZQBU7o_iMuLvPWNLNJEQLlSYquhlVqbAFVYJIA8cjFpkS9p0pQ85x7L_-EXic79oQ_Ee8H4ubn3ad3NdHVwMLuqapKHgs8zDltO2w_rE1j17swL3eLntqK3aep/.../

http://winwiki.org/.../download

http://www.reimageplus.com/.../track.php?tracking=revenuewire&campaign=direct&adgroup=direct&ads_name=direct&keyword=direct&exec=run

http://www.reimageplus.com/.../router_land.php?tracking=revenuewire&exec=run

http://winwiki.reimage.safecart.com/.../download

http://winwiki.reimage.revenuewire.net/.../download

http://winwiki.org/.../repair

http://cdnrep.reimage.com/install/.../ReimageRepair.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to vip080.ssl.hwcdn.net  (205.185.208.80:80)

Remove ReimageRepair.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.