» 77zipsetup.exe
Overview
Analysis
File Details
Downloads (1)
Network (2)

77zipsetup.exe

Installer

We Code Good Inc.

This is the Performersoft setup installer. The application 77zipsetup.exe by We Code Good has been detected as adware by 36 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from www.softologicsd.com. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

77zipsetup.exe

Publisher:

We Code Good Inc. (signed and verified)

Product:

Installer

Version:

15.9.28.27

MD5:

40cb43e541d9621e6c5a505e803756aa

SHA-1:

586a9de9c5a231199326bbcce5e884498a0e52aa

SHA-256:

fab1864c9236a6bd4713a57f87a9da41fb38596ef5b69d043b302b10b1d8ea5e

Scanner detections:

36 / 68

Status:

Adware

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

4/25/2024 8:42:21 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bundler.InstallBrain.A

911

Agnitum Outpost

Trojan.DL.Brantall

7.1.1

AhnLab V3 Security

Downloader/Win32.Agent

2014.07.27

Avira AntiVirus

APPL/InstallBrain.Gen

7.11.114.70

avast!

Win32:Malware-gen

2014.9-140807

AVG

Downloader.Generic13

2015.0.3513

Bitdefender

Gen:Variant.Adware.Kazy.284891

1.0.20.480

Bkav FE

W32.Clodddd.Trojan

1.3.0.4613

Comodo Security

Application.Win32.InstallBrain.AH

17565

Dr.Web

Adware.Downware.1425

9.0.1.096

Emsisoft Anti-Malware

Gen:Variant.Adware.Kazy.284891

8.14.04.06.12

ESET NOD32

Win32/InstallBrain.AQ (variant)

8.9062

F-Prot

W32/A-86618429

v6.4.7.1.166

F-Secure

Gen:Variant.Adware.Kazy.284891

11.2014-06-04_1

G Data

Gen:Variant.Adware.Kazy.284891

14.4.22

herdProtect (fuzzy)

variant of 77zip973867.exe (Adware)

2014.4.6.0

IKARUS anti.virus

Win32.SuspectCrc

t3scan.2.2.29

K7 AntiVirus

Unwanted-Program

13.175.10750

Kaspersky

not-a-virus:HEUR:AdWare.Win32.BrainInst

14.0.0.4060

Malwarebytes

Adware.InstallBrain

v2014.04.06.12

McAfee

Artemis!2804DFD8A411

5600.7169

Microsoft Security Essentials

TrojanDownloader:Win32/Brantall.D

1.163.1557.0

MicroWorld eScan

Gen:Variant.Adware.Kazy.284891

15.0.0.288

NANO AntiVirus

Riskware.Win32.BrainInst.cqttfb

0.28.0.57029

nProtect

Trojan-Clicker/W32.BrainInst.791968

14.07.25.01

Panda Antivirus

Trj/Brantall.A

14.08.07.05

Quick Heal

TrojanDownloader.Brantall.A5

8.14.14.00

Reason Heuristics

PUP.Installer.WeCodeGood.K

14.8.7.17

Sophos

Generic PUA PN

4.96

SUPERAntiSpyware

PUP.InstallBrain/Variant

10436

Total Defense

Win32/Tnega.LVcHJRC

37.0.10498

Trend Micro House Call

TROJ_GEN.F47V0904

7.2.96

Trend Micro

TROJ_SPNV.03BG14

10.465.07

Vba32 AntiVirus

Downware.InstallBrain

3.12.24.3

VIPRE Antivirus

InstallBrain

23488

Zillya! Antivirus

Downloader.BrainInst.Win32.9

2.0.0.1784

File size:

773.4 KB (791,968 bytes)

Product version:

15.9.28.27

Original file name:

installer.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

InstallBrain

Language:

English (United States)

Common path:

C:\users\{user}\downloads\77zipsetup.exe

Digital Signature

Signed by:

We Code Good Inc.

Authority:

GoDaddy.com, Inc.

Valid from:

11/1/2012 9:20:37 PM

Valid to:

11/1/2015 9:20:37 PM

Subject:

CN=We Code Good Inc., O=We Code Good Inc., L=Beaverton, S=OR, C=US

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

4EEF3A85620395

File PE Metadata

Compilation timestamp:

10/16/2013 10:09:15 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:rwVYf3l/nqOTRI4Im2kz1LKlsJ95yv3g42qFag/E65VBcX1YsGsin4E5z4DEqrC:06PNTbHbIg42Bg865VBUusGsin/zXqrC

Entry address:

0xC02D

Entry point:

E8, EE, 4B, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, C8, 45, 42, 00, 00, 75, 18, E8, 39, 44, 00, 00, 6A, 1E, E8, 83, 42, 00, 00, 68, FF, 00, 00, 00, E8, A9, 2B, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, C8, 45, 42, 00, FF, 15, 50, A0, 41, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, CC, 45, 42, 00, 74, 0D, 53, E8, 11, 2A, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, E3, 29, 00, 00, 89, 30, E8, DC, 29, 00, 00, 89... 
[+]

Entropy:

7.7884 (probably packed)

Code size:

98 KB (100,352 bytes)

The file 77zipsetup.exe has been seen being distributed by the following URL.

http://www.softologicsd.com/.../$hMAnSZlscAcprQ8c?exename=77ZipSetup&cid=3867&lang=en&gclid=CP73-dzGnroCFUi33god7A0A4w

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

Remove 77zipsetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.