winrar.exe

Winrar

Bechiro S.L.

This is the Solimba installer program that will bundle additional offers mostly including adware and various unwanted PC utilities. The application winrar.exe, “Winrar AppInstaller” by Bechiro S.L has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Solimba DownloadMR installer. The installer uses the Solimba download manager to push adware offers during the download and setup process. Bundled adware includes search and shopping web browser toolbars. With this installer, users are expecting to download WinRAR archiver but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
Bechiro S.L.  (signed and verified)

Product:
Winrar

Description:
Winrar AppInstaller

Version:
3.0.17.6

MD5:
8a76b21d151ac36ddae6f788263a8a1b

SHA-1:
cc64af51347eaa4ebec3e8aadfa0833cd80ba659

SHA-256:
fb7771aed45bc9f158e011d32fd554dc1236d98186a757c442c9356767094cb7

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Uses the Solimba installer to bundle adware offers.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/25/2024 6:08:16 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Solimba (M)
16.7.31.8

File size:
281.9 KB (288,680 bytes)

Copyright:
AppInstaller 2013 (132111102)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Solimba DownloadMR

Common path:
C:\users\{user}\downloads\winrar.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
6/12/2012 8:00:00 PM

Valid to:
6/13/2014 7:59:59 PM

Subject:
CN=Bechiro S.L., OU=Devel, O=Bechiro S.L., L=Barcelona, S=Barcelona, C=ES

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
738DCAC697C06E1B89D106073773010D

File PE Metadata
Compilation timestamp:
2/19/2012 12:01:49 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
6144:VsaocyLCJ9EnIw0TelH/QEnt3f9n581/jkOI7ASMPZE/Q:VtobsRylH/Jt3f95ALQ7FeZE/Q

Entry address:
0x4327

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 93, 42, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 94, 42, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 94, 42, 00, 56, A3, 40, 7B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 7B, 42, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, 94, 42, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Code size:
34.5 KB (35,328 bytes)

The file winrar.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to cdn.solimba.com  (95.211.6.35:80)

TCP (HTTP):
Connects to api.downloadmr.com  (95.211.39.161:80)

 
http://api.downloadmr.com/installer/873061536/launch

Remove winrar.exe - Powered by Reason Core Security