home

CodecPerformerSetup.exe

PurpleTech Software Inc

This is the Performersoft setup installer. The application CodecPerformerSetup.exe by PurpleTech Software Inc has been detected as adware by 36 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. The setup program bundles additional offers, mostly adware, using the InstallBrain installer, a pay-per-install monetization download manager. InstallBrain will also install a background updater service that will update any installed browser add-ons and plug-ins. The file has been seen being downloaded from www.jetappspeed.com. While running, it connects to the Internet address 174.36.241.169-static.reverse.softlayer.com on port 80 using the HTTP protocol.
Publisher:
CodecPerformer  (signed by PurpleTech Software Inc)

Product:
CodecPerformer

Version:
14.9.11.11

MD5:
5e424f83c87c497bf14813fa3671c5df

SHA-1:
4c3226c6c056d0244f147cd4f307a20c32a54859

SHA-256:
33a08b0192b78041eb78a5b2460f7311a5bf1f805006eaaf4ab6a4fae6ea266f

Scanner detections:
36 / 68

Status:
Adware

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/26/2024 8:41:16 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.InstallBrain.E
597

Agnitum Outpost
PUA.InstallBrain
7.1.1

AhnLab V3 Security
PUP/Win32.InstallBrain
2014.09.10

Avira AntiVirus
ADWARE/InstallBrain.Gen
7.11.171.106

avast!
InstallBrain-BX [PUP]
150602-1

AVG
Adware InstallBrain.AY
2015.0.4355

Baidu Antivirus
Adware.Win32.InstallBrain
4.0.3.15617

Bitdefender
Adware.InstallBrain.E
1.0.20.840

Bkav FE
W32.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Installbrain-1522
0.98/20576

Comodo Security
Application.Win32.InstallBrain.BF
18965

Dr.Web
Trojan.Packed.28512
9.0.1.05190

Emsisoft Anti-Malware
Adware.InstallBrain
8.15.06.17.03

ESET NOD32
Win32/InstallBrain.CN potentially unwanted application
7.0.302.0

Fortinet FortiGate
W32/Skintrim.B!tr
6/17/2015

F-Prot
W32/A-3442f84d
v6.4.7.1.166

F-Secure
Adware.InstallBrain.E
11.2015-17-06_4

G Data
Adware.InstallBrain
15.6.24

IKARUS anti.virus
PUA.Giraffe
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.183.13166

Kaspersky
not-a-virus:AdWare.Win32.BrainInst
14.0.0.1872

Malwarebytes
PUP.Optional.CodecPerformer.A
v2015.06.17.03

McAfee
Trojan.Artemis!7C1769FB83F3
5600.6731

MicroWorld eScan
Adware.InstallBrain.E
16.0.0.504

NANO AntiVirus
Trojan.Win32.InstallBrain.derzsq
0.28.2.61942

Norman
Adware.InstallBrain.E
11.20150617

nProtect
Adware.InstallBrain.E
14.09.07.01

Panda Antivirus
Trj/Genetic.gen
15.06.17.03

Quick Heal
PUA.Purpletech.Gen
6.15.14.00

Reason Heuristics
PUP.Performersoft.Bundler
15.6.17.15

Rising Antivirus
PE:Malware.Obscure!1.9C59
23.00.65.15615

Sophos
PUA 'InstallBrain'
5.15

SUPERAntiSpyware
Questionable.Resource
9808

Vba32 AntiVirus
AdWare.BrainInst
3.12.26.3

VIPRE Antivirus
Threat.4759033
32938

Zillya! Antivirus
Adware.BrainInst.Win32.108
2.0.0.1902

File size:
1.2 MB (1,271,584 bytes)

Product version:
14.9.11.11

Copyright:
Copyright 2014

Original file name:
CodecPerformerSetup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
InstallBrain

Language:
English (United States)

Digital Signature
Signed by:
PurpleTech Software Inc

Authority:
GoDaddy.com, Inc.

Valid from:
12/15/2013 8:50:01 PM

Valid to:
9/12/2015 4:45:58 AM

Subject:
CN=PurpleTech Software Inc, O=PurpleTech Software Inc, L=Beaverton, S=Oregon, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
043990240F90A4

File PE Metadata
Compilation timestamp:
8/20/2014 10:24:30 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:k1QfopqgxbibCXi6kgaINVD4W7CS7YsXDV6YkHzr9jWp04b9GOjbvD/+XbdeXcKY:k1wgIGXiTcNV7CS7bkY8xWa4bbDmXbdb

Entry address:
0x1A81F

Entry point:
E8, 30, 6D, FF, FF, E9, 2B, 9D, FE, FF, C7, 01, 64, B5, 41, 00, E9, B8, 64, FF, FF, 8B, FF, 55, 8B, EC, 56, 8B, F1, C7, 06, 64, B5, 41, 00, E8, A5, 64, FF, FF, F6, 45, 08, 01, 74, 07, 56, E8, 69, 20, FF, FF, 59, 8B, C6, 5E, 5D, C2, 04, 00, 8B, 51, 10, 56, 8B, 32, 8D, 41, 48, 3B, F0, 74, 12, 89, 71, 3C, 8B, 71, 30, 8B, 36, 57, 8B, 79, 20, 03, 37, 5F, 89, 71, 40, 89, 02, 8B, 51, 20, 89, 02, 8B, D1, 2B, D0, 8B, 41, 30, 83, C2, 49, 89, 10, 5E, C3, B8, 60, 3A, 42, 00, C3, C7, 45, FC, FF, FF, FF, FF, B8, F6, 2F...
 
[+]

Code size:
102.5 KB (104,960 bytes)

The file CodecPerformerSetup.exe has been seen being distributed by the following URL.

http://www.jetappspeed.com/.../$hOcIXJlsIQYpjisD?v=18&cid=3975&clickid=008681372011818916921&a=1&cert=pts

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-235-159-97.compute-1.amazonaws.com  (54.235.159.97:80)

TCP (HTTP):
Connects to 174.36.241.169-static.reverse.softlayer.com  (174.36.241.169:80)

Remove CodecPerformerSetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.