home

bestcodecssetup.exe

Installer

Performersoft LLC

This is the Performersoft setup installer. The application bestcodecssetup.exe by Performersoft has been detected as a potentially unwanted program by 13 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. The setup program bundles additional offers, mostly adware, using the InstallBrain installer, a pay-per-install monetization download manager. InstallBrain will also install a background updater service that will update any installed browser add-ons and plug-ins. The file has been seen being downloaded from www.softologic.com. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Performersoft LLC  (signed and verified)

Product:
Installer

Version:
14.12.8.9

MD5:
bc09ecf75183ac4291174468d0a85153

SHA-1:
80af42aa5d7fc358a3f77d2f2ad0a1854c687dab

SHA-256:
08b304176e737b95f9239fa988cd317d928e0f6502617e0d7a28520d20524d61

Scanner detections:
13 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/26/2024 12:15:08 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Trojan.DL.Brantall
7.1.1

Comodo Security
Application.Win32.InstallBrain.BE
17841

Dr.Web
Adware.Downware.1338
9.0.1.0298

F-Prot
W32/IBrain.G.gen
v6.4.7.1.166

F-Secure
Trojan:W32/InstallBrain.A
11.2015-25-10_1

herdProtect (fuzzy)
variant of dmwu.exe (Adware)
2015.10.25.13

K7 AntiVirus
Unwanted-Program
13.176.11256

Kaspersky
not-a-virus:HEUR:AdWare.Win32.BrainInst
14.0.0.1222

Malwarebytes
Adware.InstallBrain
v2015.10.25.01

NANO AntiVirus
Riskware.Win32.BrainInst.crcjut
0.28.0.57630

Quick Heal
TrojanDownloader.Brantall.A5
10.15.12.00

Reason Heuristics
PUP.Performersoft.Bundler (M)
15.8.29.0

Sophos
InstallBrain
4.97

File size:
568.6 KB (582,272 bytes)

Product version:
14.12.8.9

Copyright:
Copyright 2012

Original file name:
installer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
InstallBrain

Language:
English (United States)

Common path:
C:\users\{user}\downloads\bestcodecssetup.exe

Digital Signature
Signed by:
Performersoft LLC

Authority:
GoDaddy.com, Inc.

Valid from:
6/28/2012 12:28:03 AM

Valid to:
6/28/2015 12:28:03 AM

Subject:
CN=Performersoft LLC, O=Performersoft LLC, L=Beaverton, S=OR, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
07DAC5F73C6773

File PE Metadata
Compilation timestamp:
11/1/2012 7:50:44 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:LOhxlLGZaygq0qbYVKeo9jWkBZE8HIbeoUSfbDz7VT5divvPN9/0:LbZaTqsLoBvc82tbDZqnP30

Entry address:
0xF931

Entry point:
E8, C3, 52, 00, 00, E9, 89, FE, FF, FF, 6A, 0C, 68, 98, 52, 42, 00, E8, 19, 18, 00, 00, 6A, 0E, E8, C0, 54, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, DC, 98, 42, 00, BA, D8, 98, 42, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A, 04, 50, E8, 35, E7, FF, FF, 59, FF, 76, 04, E8, 2C, E7, FF, FF, 59, 83, 66, 04, 00, C7, 45, FC, FE, FF, FF, FF, E8, 0A, 00, 00, 00, E8, 08, 18, 00, 00, C3, 8B, D0, EB, C5, 6A, 0E, E8, 8C, 53, 00, 00, 59, C3, CC, CC, CC, CC, CC, 8B...
 
[+]

Entropy:
7.7414  (probably packed)

Code size:
122 KB (124,928 bytes)

The file bestcodecssetup.exe has been seen being distributed by the following URL.

http://www.softologic.com/.../gkv5q?exename=BestCodecsSetup&cid=3661&cid=3661&tid=2717Dyn0JQA3WgEBAAAAAIqmPAAAAAAAAgAMAAMAAAAAAP8AAAAHF6VRNgAAAAAAR4sQAAAAAAChv1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2MxMAAAAAAAIAAwAAgD8Acwye6zoBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,eJzLNit09naLTM-OcHQ0yPDxCzMMcArJc0kJ8ak0diwKzw01ddQFANVmC1w=

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

Remove bestcodecssetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.