» 77zipsetup.exe
Overview
Analysis
File Details
Downloads (1)
Network (2)

77zipsetup.exe

Installer

We Code Good Inc.

This is the Performersoft setup installer. The application 77zipsetup.exe by We Code Good has been detected as adware by 35 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from www.softologicsd.com. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

77zipsetup.exe

Publisher:

We Code Good Inc. (signed and verified)

Product:

Installer

Version:

15.9.28.27

MD5:

d9764883aeb4b6c85f7e3b148297b8b3

SHA-1:

ef6a36ae28f63303f7c16715a3059ede683430f5

SHA-256:

aa9e0c3b90de1383196c503e2d357565d168dbdb637c77a3e75b019aed86d2f3

Scanner detections:

35 / 68

Status:

Adware

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/16/2024 10:03:10 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bundler.InstallBrain.A

928

Agnitum Outpost

Trojan.DL.Brantall

7.1.1

AhnLab V3 Security

Downloader/Win32.Agent

2014.07.27

Avira AntiVirus

APPL/InstallBrain.AH

7.11.154.46

avast!

Win32:InstallBrain-AN [PUP]

2014.9-140722

AVG

Downloader.Generic13

2015.0.3406

Bitdefender

Application.Bundler.InstallBrain.A

1.0.20.1015

Bkav FE

W32.Clod772.Trojan

1.3.0.4959

Comodo Security

Application.Win32.InstallBrain.AH

18499

Dr.Web

Adware.Downware.1458

9.0.1.0203

Emsisoft Anti-Malware

Gen:Variant.Adware.Kazy.284891

8.14.07.22.08

ESET NOD32

Win32/InstallBrain.AP (variant)

8.9923

F-Prot

W32/A-86618429

v6.4.7.1.166

F-Secure

Application.Bundler.InstallBrain

11.2014-22-07_3

G Data

Application.Bundler.InstallBrain

14.7.24

IKARUS anti.virus

AdWare.BrainInst

t3scan.1.6.1.0

K7 AntiVirus

Unwanted-Program

13.1712358

Kaspersky

not-a-virus:HEUR:AdWare.Win32.BrainInst

14.0.0.3523

Malwarebytes

Adware.InstallBrain

v2014.07.22.08

McAfee

Artemis!D9764883AEB4

5600.7062

Microsoft Security Essentials

TrojanDownloader:Win32/Brantall.A

1.10600

MicroWorld eScan

Application.Bundler.InstallBrain.A

15.0.0.609

NANO AntiVirus

Riskware.Win32.BrainInst.cqttfb

0.28.0.60253

nProtect

Trojan-Clicker/W32.BrainInst.791968

14.07.25.01

Panda Antivirus

Trj/Brantall.A

14.07.22.08

Quick Heal

TrojanDownloader.Brantall.A5

7.14.14.00

Reason Heuristics

PUP.Installer.WeCodeGood.K

14.8.7.17

Sophos

InstallBrain

4.98

SUPERAntiSpyware

PUP.InstallBrain/Variant

10436

Total Defense

Win32/Tnega.LVcHJRC

37.0.10990

Trend Micro House Call

TROJ_SPNV.03BG14

7.2.203

Trend Micro

TROJ_SPNV.03BG14

10.465.22

Vba32 AntiVirus

AdWare.BrainInst

3.12.26.0

VIPRE Antivirus

InstallBrain

30154

Zillya! Antivirus

Downloader.BrainInst.Win32.9

2.0.0.1784

File size:

782.8 KB (801,600 bytes)

Product version:

15.9.28.27

Original file name:

installer.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

InstallBrain

Language:

English (United States)

Common path:

C:\users\{user}\downloads\77zipsetup.exe

Digital Signature

Signed by:

We Code Good Inc.

Authority:

GoDaddy.com, Inc.

Valid from:

11/1/2012 6:20:37 PM

Valid to:

11/1/2015 6:20:37 PM

Subject:

CN=We Code Good Inc., O=We Code Good Inc., L=Beaverton, S=OR, C=US

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

4EEF3A85620395

File PE Metadata

Compilation timestamp:

9/3/2013 6:51:48 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:FNeZxo4TpQ+YWv5G02QobMfbHTT1mAH4FCqNep:WLo4TuWvQ78/T1VH4EEep

Entry address:

0xC2CD

Entry point:

E8, 56, 53, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 28, 77, 42, 00, 00, 75, 18, E8, A1, 4B, 00, 00, 6A, 1E, E8, EB, 49, 00, 00, 68, FF, 00, 00, 00, E8, B1, 2F, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 28, 77, 42, 00, FF, 15, 48, C0, 41, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, 2C, 77, 42, 00, 74, 0D, 53, E8, C7, 2D, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 23, 1E, 00, 00, 89, 30, E8, 1C, 1E, 00, 00, 89... 
[+]

Code size:

107 KB (109,568 bytes)

The file 77zipsetup.exe has been seen being distributed by the following URL.

http://www.softologicsd.com/.../gkb0y?exename=77ZipSetup&cid=3867&lang=pt

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

Remove 77zipsetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.