CodecPerformerSetup.exe

PurpleTech Software Inc

This is the Performersoft setup installer. The application CodecPerformerSetup.exe by PurpleTech Software Inc has been detected as adware by 41 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. The setup program bundles additional offers, mostly adware, using the InstallBrain installer, a pay-per-install monetization download manager. InstallBrain will also install a background updater service that will update any installed browser add-ons and plug-ins. The file has been seen being downloaded from www.jetappspeed.com. While running, it connects to the Internet address 174.36.241.169-static.reverse.softlayer.com on port 80 using the HTTP protocol.
Publisher:
CodecPerformer  (signed by PurpleTech Software Inc)

Product:
CodecPerformer

Version:
14.9.11.11

MD5:
5e424f83c87c497bf14813fa3671c5df

SHA-1:
4c3226c6c056d0244f147cd4f307a20c32a54859

SHA-256:
33a08b0192b78041eb78a5b2460f7311a5bf1f805006eaaf4ab6a4fae6ea266f

Scanner detections:
41 / 68

Status:
Adware

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
5/28/2018 7:12:16 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.InstallBrain.E
597

Agnitum Outpost
PUA.InstallBrain
7.1.1

AhnLab V3 Security
PUP/Win32.InstallBrain
2014.09.10

Avira AntiVirus
ADWARE/InstallBrain.Gen
7.11.171.106

Antiy Labs AVL
Trojan/Win32.Badur
0.1.0.1

avast!
InstallBrain-BX [PUP]
150602-1

AVG
Adware InstallBrain.AY
2015.0.4355

Baidu Antivirus
Adware.Win32.InstallBrain
4.0.3.15617

Bitdefender
Adware.InstallBrain.E
1.0.20.840

Bkav FE
W32.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Installbrain-1522
0.98/20576

Comodo Security
Application.Win32.InstallBrain.BF
18965

Dr.Web
Trojan.Packed.28512
9.0.1.05190

Emsisoft Anti-Malware
Adware.InstallBrain
8.15.06.17.03

ESET NOD32
Win32/InstallBrain.CN potentially unwanted application
7.0.302.0

Fortinet FortiGate
W32/Skintrim.B!tr
6/17/2015

F-Prot
W32/A-3442f84d
v6.4.7.1.166

F-Secure
Adware.InstallBrain.E
11.2015-17-06_4

G Data
Adware.InstallBrain
15.6.24

IKARUS anti.virus
PUA.Giraffe
t3scan.1.6.1.0

Jiangmin
AdWare/BrainInst.ene
KV150617

K7 AntiVirus
Unwanted-Program
13.183.13166

K7 Gateway Antivirus
Adware
13.183.12998

Kaspersky
not-a-virus:AdWare.Win32.BrainInst
14.0.0.1872

Kingsoft AntiVirus
Win32.Troj.InstallBrain.E.(kcloud)
331020.49267

Malwarebytes
PUP.Optional.CodecPerformer.A
v2015.06.17.03

McAfee
Trojan.Artemis!7C1769FB83F3
5600.6731

McAfee Web Gateway
BehavesLike.Win32.Downloader.tc
7.6731

MicroWorld eScan
Adware.InstallBrain.E
16.0.0.504

NANO AntiVirus
Trojan.Win32.InstallBrain.derzsq
0.28.2.61942

Norman
Adware.InstallBrain.E
11.20150617

nProtect
Adware.InstallBrain.E
14.09.07.01

Panda Antivirus
Trj/Genetic.gen
15.06.17.03

Quick Heal
PUA.Purpletech.Gen
6.15.14.00

Reason Heuristics
PUP.Performersoft.Bundler
15.6.17.15

Rising Antivirus
PE:Malware.Obscure!1.9C59
23.00.65.15615

Sophos
PUA 'InstallBrain'
5.15

SUPERAntiSpyware
Questionable.Resource
9808

Vba32 AntiVirus
AdWare.BrainInst
3.12.26.3

VIPRE Antivirus
Threat.4759033
32938

Zillya! Antivirus
Adware.BrainInst.Win32.108
2.0.0.1902

File size:
1.2 MB (1,271,584 bytes)

Product version:
14.9.11.11

Copyright:
Copyright 2014

Original file name:
CodecPerformerSetup.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
InstallBrain

Language:
English (United States)

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
12/15/2013 8:50:01 PM

Valid to:
9/12/2015 4:45:58 AM

Subject:
CN=PurpleTech Software Inc, O=PurpleTech Software Inc, L=Beaverton, S=Oregon, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
043990240F90A4

File PE Metadata
Compilation timestamp:
8/20/2014 10:24:30 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:k1QfopqgxbibCXi6kgaINVD4W7CS7YsXDV6YkHzr9jWp04b9GOjbvD/+XbdeXcKY:k1wgIGXiTcNV7CS7bkY8xWa4bbDmXbdb

Entry address:
0x1A81F

Entry point:
E8, 30, 6D, FF, FF, E9, 2B, 9D, FE, FF, C7, 01, 64, B5, 41, 00, E9, B8, 64, FF, FF, 8B, FF, 55, 8B, EC, 56, 8B, F1, C7, 06, 64, B5, 41, 00, E8, A5, 64, FF, FF, F6, 45, 08, 01, 74, 07, 56, E8, 69, 20, FF, FF, 59, 8B, C6, 5E, 5D, C2, 04, 00, 8B, 51, 10, 56, 8B, 32, 8D, 41, 48, 3B, F0, 74, 12, 89, 71, 3C, 8B, 71, 30, 8B, 36, 57, 8B, 79, 20, 03, 37, 5F, 89, 71, 40, 89, 02, 8B, 51, 20, 89, 02, 8B, D1, 2B, D0, 8B, 41, 30, 83, C2, 49, 89, 10, 5E, C3, B8, 60, 3A, 42, 00, C3, C7, 45, FC, FF, FF, FF, FF, B8, F6, 2F...
 
[+]

Code size:
102.5 KB (104,960 bytes)

The file CodecPerformerSetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-235-159-97.compute-1.amazonaws.com  (54.235.159.97:80)

TCP (HTTP):
Connects to 174.36.241.169-static.reverse.softlayer.com  (174.36.241.169:80)

Remove CodecPerformerSetup.exe - Powered by Reason Core Security