home

77zipsetup.exe

Installer

We Code Good Inc.

This is the Performersoft setup installer. The application 77zipsetup.exe by We Code Good has been detected as adware by 40 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. The setup program bundles additional offers, mostly adware, using the InstallBrain installer, a pay-per-install monetization download manager. InstallBrain will also install a background updater service that will update any installed browser add-ons and plug-ins. The file has been seen being downloaded from www.softologicsd.com. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
We Code Good Inc.  (signed and verified)

Product:
Installer

Version:
15.9.28.27

MD5:
e51cbb17ae1f565184ea18dbb0c4c997

SHA-1:
e24276057d1dbd0722b6949edf7da06bb333bd48

SHA-256:
5e1ee879bd3e043d79ca86d7c1be87913f4221e8efd26b82ca8d1e0c708cc2f2

Scanner detections:
40 / 68

Status:
Adware

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/19/2024 8:13:13 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Kazy.284891
372

Agnitum Outpost
Trojan.Adware
7.1.1

AhnLab V3 Security
Adware/Win32.InstallBrain
2015.02.06

Avira AntiVirus
APPL/InstallBrain.Gen
7.11.207.154

avast!
Win32:PUP-gen [PUP]
2014.9-160129

AVG
Luhe.InstallBrain.A
2017.0.2850

Bitdefender
Gen:Variant.Adware.Kazy.284891
1.0.20.145

Bkav FE
W32.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Installbrain-1702
0.98/19942

Comodo Security
UnclassifiedMalware
20973

Dr.Web
Adware.Downware.1425
9.0.1.029

Emsisoft Anti-Malware
Gen:Variant.Adware.Kazy.284891
8.16.01.29.01

ESET NOD32
Win32/InstallBrain.AQ potentially unwanted (variant)
10.11129

Fortinet FortiGate
Adware/Fam.NB
1/29/2016

F-Prot
W32/A-d5dfbac3
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.Kazy.284891
11.2016-29-01_6

G Data
Gen:Variant.Adware.Kazy.284891
16.1.25

IKARUS anti.virus
AdWare.InstallBrain
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.193.14880

Kaspersky
not-a-virus:HEUR:AdWare.Win32.BrainInst
14.0.0.745

Malwarebytes
Adware.InstallBrain
v2016.01.29.01

McAfee
Artemis!2EAFBB2F9A53
5600.6506

Microsoft Security Essentials
TrojanDownloader:Win32/Brantall.D
1.1.11302.0

MicroWorld eScan
Gen:Variant.Adware.Kazy.284891
17.0.0.87

NANO AntiVirus
Trojan.Win32.Downware.cqioyi
0.30.0.65070

Norman
Gen:Variant.Adware.Kazy.284891
11.20160129

nProtect
Trojan-Clicker/W32.BrainInst.786272
15.02.05.01

Panda Antivirus
Trj/Brantall.A
16.01.29.01

Qihoo 360 Security
Win32/Virus.Adware.375
1.0.0.1015

Quick Heal
TrojanDownloader.Brantall.A5
1.16.14.00

Reason Heuristics
PUP.Performersoft.WeCodeGood.Bundler (M)
16.1.29.1

Rising Antivirus
PE:Trojan.DL.Win32.Brantall.n!1075356724
23.00.65.16127

Sophos
InstallBrain
4.98

SUPERAntiSpyware
Adware.InstallBrain/Variant
9357

Total Defense
Win32/Tnega.ICFFLHD
37.0.10977

Trend Micro House Call
TROJ_GEN.F0C2C00KR14
7.2.29

Trend Micro
TROJ_GEN.F0C2C00KR14
10.465.29

Vba32 AntiVirus
Downware.InstallBrain
3.12.26.3

VIPRE Antivirus
InstallBrain
37286

Zillya! Antivirus
Downloader.BrainInst.Win32.13
2.0.0.2055

File size:
781.9 KB (800,640 bytes)

Product version:
15.9.28.27

Copyright:
Copyright 2012

Original file name:
installer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
InstallBrain

Language:
English (United States)

Common path:
C:\users\{user}\downloads\77zipsetup.exe

Digital Signature
Signed by:
We Code Good Inc.

Authority:
GoDaddy.com, Inc.

Valid from:
11/1/2012 3:20:37 PM

Valid to:
11/1/2015 2:20:37 PM

Subject:
CN=We Code Good Inc., O=We Code Good Inc., L=Beaverton, S=OR, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
4EEF3A85620395

File PE Metadata
Compilation timestamp:
9/13/2013 9:25:37 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:iTh0TSmyoUnlE7bNpe53WCkjHl4HFYrqr:ah0T0bw3eZJkjHqHerm

Entry address:
0xC009

Entry point:
E8, A5, 4D, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 20, 67, 42, 00, 00, 75, 18, E8, F0, 45, 00, 00, 6A, 1E, E8, 3A, 44, 00, 00, 68, FF, 00, 00, 00, E8, E7, 26, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 20, 67, 42, 00, FF, 15, 50, B0, 41, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, 24, 67, 42, 00, 74, 0D, 53, E8, E5, 19, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, B7, 19, 00, 00, 89, 30, E8, B0, 19, 00, 00, 89...
 
[+]

Entropy:
7.7839

Packer / compiler:
PEQuake V0.06

Code size:
104 KB (106,496 bytes)

The file 77zipsetup.exe has been seen being distributed by the following URL.

http://www.softologicsd.com/.../gkb0y?exename=77ZipSetup&cid=3867&lang=en

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

Remove 77zipsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.