» 77zip973867.exe
Overview
Analysis
File Details
Network (2)

77zip973867.exe

Installer

MediaTechSoft Inc.

This is the Performersoft setup installer. The application 77zip973867.exe by MediaTechSoft has been detected as adware by 36 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

77zip973867.exe

Publisher:

MediaTechSoft Inc. (signed and verified)

Product:

Installer

Version:

15.9.28.27

MD5:

14079656102f1698975396494631002e

SHA-1:

5a71440623149a1311d7cb4b2564080d6d4b5bff

SHA-256:

24a3f82972611d2acda66e515fa30d1f60cfc7a45212986657d81173e28a623b

Scanner detections:

36 / 68

Status:

Adware

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

4/25/2024 12:24:05 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bundler.InstallBrain.A

6762526

Agnitum Outpost

Trojan.DL.Brantall

7.1.1

AhnLab V3 Security

Adware/Win32.BrainInst

2014.08.30

Avira AntiVirus

APPL/InstallBrain.Gen

7.11.170.24

avast!

Win32:Adware-gen [Adw]

150101-1

AVG

Downloader.Generic13

2016.0.3179

Bitdefender

Application.Bundler.InstallBrain.A

1.0.20.325

Bkav FE

W32.HfsAdware

1.3.0.6379

Comodo Security

Application.Win32.InstallBrain.AO

17541

Dr.Web

Adware.Downware.1407

9.0.1.05190

Emsisoft Anti-Malware

Application.Bundler.InstallBrain

9.0.0.4799

ESET NOD32

Win32/InstallBrain.AJ potentially unwanted application

7.0.302.0

F-Prot

W32/A-86618429

v6.4.7.1.166

F-Secure

Riskware.Application.Bundler.InstallBrain

5.13.68

G Data

Application.Bundler.InstallBrain

15.3.24

IKARUS anti.virus

Trojan-Downloader.Win32.Brantall

t3scan.1.7.5.0

K7 AntiVirus

Adware

13.174.10720

Kaspersky

not-a-virus:HEUR:AdWare.Win32.BrainInst

15.0.0.543

Malwarebytes

Adware.InstallBrain

v2015.03.06.05

McAfee

Trojan.Artemis!14079656102F

16.8.708.2

Microsoft Security Essentials

TrojanDownloader:Win32/Brantall.C

1.10904

MicroWorld eScan

Application.Bundler.InstallBrain.A

16.0.0.195

NANO AntiVirus

Trojan.Win32.Downware.cqmkvz

0.28.2.61861

Norman

Application.Bundler.InstallBrain.A

03.12.2014 13:20:04

Panda Antivirus

Trj/Brantall.A

15.03.06.05

Qihoo 360 Security

Win32/Virus.Adware.375

1.0.0.1015

Quick Heal

TrojanDownloader.Brantall.A5

3.15.14.00

Reason Heuristics

PUP.Bundler.Performersoft

15.3.6.5

Sophos

PUA 'InstallBrain'

5.11

SUPERAntiSpyware

Adware.InstallBrain/Variant

10015

Total Defense

Win32/Tnega.DYNHaHD

37.0.11151

Trend Micro House Call

TROJ_GEN.R0CCC0DF414

7.2.65

Trend Micro

TROJ_GEN.R0CCC0DF414

10.465.06

Vba32 AntiVirus

AdWare.BrainInst

3.12.26.3

VIPRE Antivirus

InstallBrain

32664

Zillya! Antivirus

Downloader.BrainInst.Win32.24

2.0.0.1906

File size:

766.3 KB (784,672 bytes)

Product version:

15.9.28.27

Original file name:

installer.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

InstallBrain

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\77zip973867.exe

Digital Signature

Signed by:

MediaTechSoft Inc.

Authority:

GoDaddy.com, Inc.

Valid from:

3/29/2013 7:18:00 PM

Valid to:

3/29/2016 8:18:00 PM

Subject:

CN=MediaTechSoft Inc., O=MediaTechSoft Inc., L=Beaverton, S=OR, C=US

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

4B870730DE21B9

File PE Metadata

Compilation timestamp:

8/14/2013 5:03:07 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:MySptWEiWIJqT/ETMPPZXD6Y4603ey8ot9EzX1R3cVhTZY7Rlyfb88fUqzSD:M+XIT8upD6Y49H9EX3c7TAPywoZuD

Entry address:

0xBF2D

Entry point:

E8, 8E, 46, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, CC, 35, 42, 00, 00, 75, 18, E8, D9, 3E, 00, 00, 6A, 1E, E8, 23, 3D, 00, 00, 68, FF, 00, 00, 00, E8, 31, 26, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, CC, 35, 42, 00, FF, 15, 5C, 90, 41, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, C8, 35, 42, 00, 74, 0D, 53, E8, 81, 19, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 53, 19, 00, 00, 89, 30, E8, 4C, 19, 00, 00, 89... 
[+]

Entropy:

7.7917 (probably packed)

Code size:

96 KB (98,304 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

Remove 77zip973867.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.