winrarsetup-13911942.exe

KawagaSoft

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application winrarsetup-13911942.exe by KawagaSoft has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. With this installer, users are expecting to download WinRAR archiver but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
KawagaSoft  (signed and verified)

MD5:
9a67912118aafa43e7fed81c17fe0cf3

SHA-1:
e9b16f987406ff541ab637c87ad2aadb8a89796d

SHA-256:
4c0301361209c569b4627d3dd45e12e831f8a88c4da3e1b740fe7d5eda9445ca

Scanner detections:
12 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/15/2024 3:25:53 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.InstallCore
7.1.1

AVG
Generic
2015.0.3447

Dr.Web
Trojan.Packed.25266
9.0.1.0162

ESET NOD32
Win32/InstallCore.OJ (variant)
8.9874

Fortinet FortiGate
Riskware/InstallCore
6/11/2014

Malwarebytes
v2014.06.11.07

McAfee
CryptInno!9A67912118AA
5600.7103

Reason Heuristics
PUP.Installer.KawagaSoft.U
14.6.12.9

Trend Micro House Call
TROJ_GEN.F47V0508
7.2.162

Vba32 AntiVirus
3.12.26.0

VIPRE Antivirus
InstallCore.b
29788

File size:
598.1 KB (612,496 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\downloads\winrarsetup-13911942.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
4/1/2014 2:00:00 AM

Valid to:
4/2/2015 1:59:59 AM

Subject:
CN=KawagaSoft, O=KawagaSoft, STREET=28A Lilinblam St., L=Tel-Aviv, S=Israel, PostalCode=651307, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00D018EC12F4E67C808322B5B566F010A7

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:wfvpBJH+O1v2ICEp2OSMCRW4M7ef97DRC7IVT:wfvfJHDvbVS3ieBR

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.8479

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file winrarsetup-13911942.exe has been seen being distributed by the following 2 URLs.

Remove winrarsetup-13911942.exe - Powered by Reason Core Security