» codecperformersetup.exe
Overview
Analysis
File Details
Downloads (1)
Network (2)

codecperformersetup.exe

Installer

YellowSoft Inc

This is the Performersoft setup installer. The application codecperformersetup.exe by YellowSoft Inc has been detected as adware by 37 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from www.softologicsb.com. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

Publisher:

YellowSoft Inc (signed and verified)

Product:

Installer

Version:

15.9.28.27

MD5:

108accb6db6fe80b76860fad204d6490

SHA-1:

8942ba7f628a5352653c56d331b02774197a83c6

SHA-256:

e2e3b48658d2051f7ad134ea589917cf13ffe9252b97f096426a85ba5e3be8ab

Scanner detections:

37 / 68

Status:

Adware

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/25/2024 9:41:47 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bundler.InstallBrain.A

6174449

Agnitum Outpost

Adware.BrainInst

7.1.1

AhnLab V3 Security

Adware/Win32.BrainInst

14.12.17

Avira AntiVirus

APPL/InstallBrain.Gen

7.11.144.152

avast!

Win32:InstallBrain-BF [PUP]

141214-1

AVG

Trojan horse Downloader.Generic13

2015.0.3257

Bitdefender

Application.Bundler.InstallBrain.A

1.0.20.1755

Clam AntiVirus

Win.Trojan.Installbrain-270

0.98/19795

Comodo Security

TrojWare.Win32.Brantall.A

18140

Dr.Web

Adware.Downware.1578

9.0.1.05190

Emsisoft Anti-Malware

Application.Bundler.InstallBrain

9.0.0.4668

ESET NOD32

Win32/InstallBrain.AY potentially unwanted application

7.0.302.0

Fortinet FortiGate

Adware/BrainInst

12/17/2014

F-Prot

W32/IBrain.B2.gen

v6.4.7.1.166

F-Secure

Riskware.Application.Bundler.InstallBrain

5.13.68

G Data

Application.Bundler.InstallBrain

14.12.24

IKARUS anti.virus

not-a-virus:Downloader.Win32.Agent

t3scan.1.6.1.0

K7 AntiVirus

Trojan-Downloader

13.176.11524

Kaspersky

Trojan-Downloader.Win32.BrainInst

15.0.0.543

Malwarebytes

Adware.InstallBrain

v2014.12.17.05

McAfee

PUP-FDT!EEF04BF470C2

5600.6913

Microsoft Security Essentials

Threat.Undefined

1.173.2153.0

MicroWorld eScan

Application.Bundler.InstallBrain.A

15.0.0.1053

NANO AntiVirus

Trojan.Win32.Downware.cqhnzm

0.28.0.59288

Norman

Application.Bundler.InstallBrain.A

04.12.2014 14:30:06

nProtect

Trojan-Downloader/W32.BrainInst.875416

14.03.21.01

Panda Antivirus

PUP/Ibups

14.12.17.05

Qihoo 360 Security

Malware.QVM10.Gen

1.0.0.1015

Quick Heal

TrojanDownloader.Brantall.A5

12.14.12.00

Reason Heuristics

PUP.Installer.YellowSoft.T

14.12.17.17

Rising Antivirus

PE:Trojan.Brantall!6.100B

23.00.65.141215

Sophos

PUA 'InstallBrain'

5.09

SUPERAntiSpyware

PUP.InstallBrain/Variant

10172

Total Defense

Win32/Tnega.ICFFLHD

37.0.10889

Vba32 AntiVirus

TrojanDownloader.BrainInst

3.12.26.0

VIPRE Antivirus

InstallBrain

28448

Zillya! Antivirus

Downloader.BrainInst.Win32.7

2.0.0.1790

File size:

854.9 KB (875,416 bytes)

Product version:

15.9.28.27

Original file name:

installer.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

InstallBrain

Language:

English (United States)

Common path:

C:\users\{user}\downloads\codecperformersetup.exe

Digital Signature

Signed by:

YellowSoft Inc

Authority:

GoDaddy.com, Inc.

Valid from:

9/11/2012 10:45:31 PM

Valid to:

9/11/2015 10:45:31 PM

Subject:

CN=YellowSoft Inc, O=YellowSoft Inc, L=Beaverton, S=OR, C=US

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

4EC8FFEF413CDC

File PE Metadata

Compilation timestamp:

10/24/2013 1:27:57 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:niMWqTyWEWJLIJC3YuGb+EPqrCM4x1ae47Rd3NM:irqTykqcwACM+weoL3y

Entry address:

0xFEEC

Entry point:

E8, 3F, 82, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 4C, 31, 43, 00, 00, 75, 18, E8, 8A, 7A, 00, 00, 6A, 1E, E8, D4, 78, 00, 00, 68, FF, 00, 00, 00, E8, 7C, 72, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 4C, 31, 43, 00, FF, 15, 48, 50, 42, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, C4, 31, 43, 00, 74, 0D, 53, E8, AA, 39, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 4F, 01, 00, 00, 89, 30, E8, 48, 01, 00, 00, 89... 
[+]

Entropy:

7.7547 (probably packed)

Code size:

143.5 KB (146,944 bytes)

The file codecperformersetup.exe has been seen being distributed by the following URL.

http://www.softologicsb.com/.../$pugiZJA3I0JnqhUj?exename=CodecPerformerSetup&cid=4274&v=18&clickid=0025722045562009234&a=1

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

Remove codecperformersetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.