home

codecperformersetup.exe

Installer

PPCTechSoft Inc.

This is the Performersoft setup installer. The application codecperformersetup.exe by PPCTechSoft has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from www.softologicsa.com. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
PPCTechSoft Inc.  (signed and verified)

Product:
Installer

Version:
15.9.28.27

MD5:
95b8cd811e10b0ccbb67984e379095ed

SHA-1:
ef61664863c58f444237b7b0ae5560f1358bba32

SHA-256:
bf33ea005718f8cd05cb9784a7300cac48732c79557b0428ae2101f93b915a1c

Scanner detections:
21 / 68

Status:
Adware

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/20/2024 12:08:14 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.InstallBrain.A
952

Agnitum Outpost
Trojan.DL.Brantall
7.1.1

Avira AntiVirus
TR/Dldr.Brantall.A.7
7.11.157.128

avast!
Win32:Installer-AG [PUP]
140617-1

AVG
Potentially harmful program Skodna.Downloader.CB
2014.0.3986

Bitdefender
Application.Bundler.InstallBrain.A
1.0.20.895

Clam AntiVirus
Win.Trojan.Installbrain-28
0.98/21411

Dr.Web
Adware.Downware.1350
9.0.1.05190

ESET NOD32
Win32/InstallBrain.AO potentially unwanted application
7.0.302.0

F-Prot
W32/IBrain.G.gen
4.6.5.141

F-Secure
Application.Bundler.InstallBrain
11.2014-28-06_7

G Data
Application.Bundler.InstallBrain
14.6.24

IKARUS anti.virus
AdWare.InstallBrain
t3scan.1.6.1.0

Malwarebytes
Adware.InstallBrain
v2014.06.28.09

Microsoft Security Essentials
Threat.Undefined
1.177.1053.0

MicroWorld eScan
Application.Bundler.InstallBrain.A
15.0.0.537

NANO AntiVirus
Trojan.Win32.Downware.crmtmu
0.28.0.60475

Quick Heal
TrojanDownloader.Brantall.A5
6.14.14.00

Reason Heuristics
PUP.Installer.PPCTechSoft.T
14.8.8.0

Sophos
InstallBrain
4.98

VIPRE Antivirus
Threat.4150696
29708

File size:
726.8 KB (744,248 bytes)

Product version:
15.9.28.27

Copyright:
Copyright 2012

Original file name:
installer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
InstallBrain

Language:
English (United States)

Common path:
C:\users\{user}\downloads\codecperformersetup.exe

Digital Signature
Signed by:
PPCTechSoft Inc.

Authority:
GoDaddy.com, Inc.

Valid from:
3/29/2013 7:18:32 PM

Valid to:
3/29/2016 8:18:32 PM

Subject:
CN=PPCTechSoft Inc., O=PPCTechSoft Inc., L=Beaverton, S=OR, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
0782D382C7277D

File PE Metadata
Compilation timestamp:
8/1/2013 12:07:19 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:JxVXDUakDljM2iuOTST/5kxyIWVW5NVptjiq5LpCmOrrMjpn1uuWNHfu8dPXuMfS:lDUjViZTghw5NLYWLphOrrMj3unNG8hs

Entry address:
0xF0A6

Entry point:
E8, 7B, 5F, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 20, EF, 42, 00, 00, 75, 18, E8, C6, 57, 00, 00, 6A, 1E, E8, 10, 56, 00, 00, 68, FF, 00, 00, 00, E8, DC, 50, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 20, EF, 42, 00, FF, 15, 68, 40, 42, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, 44, EF, 42, 00, 74, 0D, 53, E8, 66, 41, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 61, 09, 00, 00, 89, 30, E8, 5A, 09, 00, 00, 89...
 
[+]

Code size:
136.5 KB (139,776 bytes)

The file codecperformersetup.exe has been seen being distributed by the following URL.

http://www.softologicsa.com/.../$re0PYZlsIQYprAo ?exename=CodecPerformerSetup&cid=3975&clickid=0037623974301963029

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove codecperformersetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.