home

77zipsetup.exe

Installer

We Code Good Inc.

This is the Performersoft setup installer. The application 77zipsetup.exe by We Code Good has been detected as adware by 40 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. The setup program bundles additional offers, mostly adware, using the InstallBrain installer, a pay-per-install monetization download manager. InstallBrain will also install a background updater service that will update any installed browser add-ons and plug-ins. The file has been seen being downloaded from www.softologicsd.com. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
We Code Good Inc.  (signed and verified)

Product:
Installer

Version:
15.9.28.27

MD5:
641ec45d9ddeb6f14d46ac3b4bf52401

SHA-1:
7a098a71b18160af1e4f95e45b1ad4a42c6dc752

SHA-256:
4f475a97e98914ec19336872574d6cd712acd22efae6e1c6329b74f5495741cd

Scanner detections:
40 / 68

Status:
Adware

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/24/2024 5:54:14 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Kazy.284891
375

Agnitum Outpost
Trojan.Adware
7.1.1

AhnLab V3 Security
Adware/Win32.InstallBrain
2015.02.06

Avira AntiVirus
APPL/InstallBrain.Gen
7.11.207.154

avast!
Win32:PUP-gen [PUP]
2014.9-160125

AVG
Luhe.InstallBrain.A
2017.0.2853

Bitdefender
Gen:Variant.Adware.Kazy.284891
1.0.20.125

Bkav FE
W32.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Installbrain-1702
0.98/19942

Comodo Security
UnclassifiedMalware
20973

Dr.Web
Adware.Downware.1425
9.0.1.025

Emsisoft Anti-Malware
Gen:Variant.Adware.Kazy.284891
8.16.01.25.03

ESET NOD32
Win32/InstallBrain.AQ potentially unwanted (variant)
10.11129

Fortinet FortiGate
Adware/Fam.NB
1/25/2016

F-Prot
W32/A-d5dfbac3
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.Kazy.284891
11.2016-25-01_2

G Data
Gen:Variant.Adware.Kazy.284891
16.1.25

IKARUS anti.virus
AdWare.InstallBrain
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.193.14880

Kaspersky
not-a-virus:HEUR:AdWare.Win32.BrainInst
14.0.0.762

Malwarebytes
Adware.InstallBrain
v2016.01.25.03

McAfee
Artemis!2EAFBB2F9A53
5600.6509

Microsoft Security Essentials
TrojanDownloader:Win32/Brantall.D
1.1.11302.0

MicroWorld eScan
Gen:Variant.Adware.Kazy.284891
17.0.0.75

NANO AntiVirus
Trojan.Win32.Downware.cqioyi
0.30.0.65070

Norman
Gen:Variant.Adware.Kazy.284891
11.20160125

nProtect
Trojan-Clicker/W32.BrainInst.786272
15.02.05.01

Panda Antivirus
Trj/Brantall.A
16.01.25.03

Qihoo 360 Security
Win32/Virus.Adware.375
1.0.0.1015

Quick Heal
TrojanDownloader.Brantall.A5
1.16.14.00

Reason Heuristics
PUP.Performersoft.WeCodeGood.Bundler (M)
16.1.25.15

Rising Antivirus
PE:Trojan.DL.Win32.Brantall.n!1075356724
23.00.65.16123

Sophos
InstallBrain
4.98

SUPERAntiSpyware
Adware.InstallBrain/Variant
9364

Total Defense
Win32/Tnega.ICFFLHD
37.0.10977

Trend Micro House Call
TROJ_GEN.F0C2C00KR14
7.2.25

Trend Micro
TROJ_GEN.F0C2C00KR14
10.465.25

Vba32 AntiVirus
Downware.InstallBrain
3.12.26.3

VIPRE Antivirus
InstallBrain
37286

Zillya! Antivirus
Downloader.BrainInst.Win32.13
2.0.0.2055

File size:
773.4 KB (791,968 bytes)

Product version:
15.9.28.27

Copyright:
Copyright 2012

Original file name:
installer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
InstallBrain

Language:
English (United States)

Common path:
C:\users\{user}\downloads\77zipsetup.exe

Digital Signature
Signed by:
We Code Good Inc.

Authority:
GoDaddy.com, Inc.

Valid from:
11/1/2012 6:20:37 PM

Valid to:
11/1/2015 6:20:37 PM

Subject:
CN=We Code Good Inc., O=We Code Good Inc., L=Beaverton, S=OR, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
4EEF3A85620395

File PE Metadata
Compilation timestamp:
10/2/2013 11:18:58 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:k698xmJbxCOTEG/XDD94s5YMvGjGRb+5j3EpPkWAotZDfBuTHSPPbEqk:TV1TEns5Ye8p/O8LSPAqk

Entry address:
0xD43D

Entry point:
E8, 9F, 42, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, C4, 44, 42, 00, 00, 75, 18, E8, EA, 3A, 00, 00, 6A, 1E, E8, 34, 39, 00, 00, 68, FF, 00, 00, 00, E8, 31, 26, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, C4, 44, 42, 00, FF, 15, 4C, A0, 41, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, C8, 44, 42, 00, 74, 0D, 53, E8, 81, 19, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 53, 19, 00, 00, 89, 30, E8, 4C, 19, 00, 00, 89...
 
[+]

Code size:
98 KB (100,352 bytes)

The file 77zipsetup.exe has been seen being distributed by the following URL.

http://www.softologicsd.com/.../$iuosVJlscAcpmBMo?exename=77ZipSetup&cid=3867&lang=pt&gclid=CNXegY31gLoCFW3xOgodzjAAag

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove 77zipsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.