home

winrarsetup.exe

Generic Installer

Source Mode (New Media Holdings Ltd.)

The application winrarsetup.exe, “Generic Installer Setup ” by Source Mode (New Media Holdings) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. With this installer, users are expecting to download WinRAR archiver but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
Program Installer   (signed by Source Mode (New Media Holdings Ltd.))

Product:
Generic Installer

Description:
Generic Installer Setup

Version:
1.5.1.6

MD5:
929dc79f2e6d473cd5a74319cc318995

SHA-1:
86b5d83819af86dd22b8132b16e11022ac04ad27

SHA-256:
74891fe224d5ce33b8d63500d1106108c5b03fcc309b3c46a3c08ffbc243c136

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/24/2024 2:37:11 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.NewMedia.NMH (M)
16.10.31.9

File size:
781 KB (799,728 bytes)

Product version:
1.6

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\winrarsetup.exe

Digital Signature
Signed by:
Source Mode (New Media Holdings Ltd.)

Authority:
GlobalSign nv-sa

Valid from:
2/9/2015 1:05:03 PM

Valid to:
2/10/2016 1:05:03 PM

Subject:
CN=Source Mode (New Media Holdings Ltd.), O=Source Mode (New Media Holdings Ltd.), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11215F6BF409D2FB1A0D2D6806029291E602

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:osr/PFD2taoOHl7MEYHCzOY7xD8XmtOqVTZIArSuR+z3QFfriY:ow1M5+UizOY7xgXxqVTZ3GuRuQFriY

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.8940

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

Remove winrarsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.