» de1ozyhv.exe
Overview
Analysis
File Details
Network (3)

de1ozyhv.exe

Installer

Performersoft LLC

This is the Performersoft setup installer. The file de1ozyhv.exe by Performersoft has been detected as a potentially unwanted program by 29 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

de1ozyhv.exe

Publisher:

Performersoft LLC (signed and verified)

Product:

Installer

Version:

15.9.28.27

MD5:

3c553de3210183d68dbfe9bcf701c2ff

SHA-1:

54737601da373ad356e6b498f153c6850859d335

SHA-256:

4ceca99ac2527d1c6474f1cf051ee942ff5c6b9e73120b6dfdd0bbf0ad242b34

Scanner detections:

29 / 68

Status:

Potentially unwanted

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/19/2024 8:27:09 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bundler.InstallBrain.A

838

Agnitum Outpost

Trojan.DL.Brantall

7.1.1

AhnLab V3 Security

Trojan/Win32.Brantall

2014.10.20

Avira AntiVirus

APPL/InstallBrain.Gen

7.11.179.162

avast!

Win32:InstallBrain-AN [PUP]

141003-0

AVG

Trojan horse Downloader.Generic13.BQGG

2014.0.4040

Bitdefender

Application.Bundler.InstallBrain.A

1.0.20.1460

Clam AntiVirus

Win.Adware.Installbrain-517

0.98/21411

Comodo Security

Application.Win32.InstallBrain.AH

19852

Dr.Web

Adware.Downware.1458

9.0.1.05190

Emsisoft Anti-Malware

Application.Bundler.InstallBrain

14.10.19

ESET NOD32

Win32/InstallBrain.AP potentially unwanted application

7.0.302.0

F-Prot

W32/A-b601ba44

v6.4.7.1.166

F-Secure

Trojan:W32/InstallBrain.A

11.2014-19-10_1

G Data

Application.Bundler.InstallBrain

14.10.24

K7 AntiVirus

Unwanted-Program

13.184.13727

Kaspersky

not-a-virus:HEUR:AdWare.Win32.BrainInst

15.0.0.494

Malwarebytes

Adware.InstallBrain

v2014.10.19.06

Microsoft Security Essentials

Threat.Undefined

1.185.3705.0

MicroWorld eScan

Application.Bundler.InstallBrain.A

15.0.0.876

NANO AntiVirus

Riskware.Win32.BrainInst.cqttfb

0.28.2.62671

nProtect

Trojan-Clicker/W32.BrainInst.827232

14.10.19.01

Quick Heal

TrojanDownloader.Brantall.A5

10.14.14.00

Reason Heuristics

PUP.Installer.Performersoft.M

14.10.19.17

Sophos

InstallBrain

4.98

Total Defense

Win32/Tnega.LVcHJRC

37.0.11237

Vba32 AntiVirus

TrojanDownloader.BrainInst

3.12.26.3

VIPRE Antivirus

Threat.4759033

33706

Zillya! Antivirus

Downloader.BrainInst.Win32.9

2.0.0.1959

File size:

807.8 KB (827,232 bytes)

Product version:

15.9.28.27

Original file name:

installer.exe

Bundler/Installer:

InstallBrain

Language:

English (United States)

Common path:

C:\Documents and Settings\{user}\Local settings\temp\de1ozyhv.exe.part

Digital Signature

Signed by:

Performersoft LLC

Authority:

GoDaddy.com, Inc.

Valid from:

6/27/2012 10:28:03 PM

Valid to:

6/27/2015 10:28:03 PM

Subject:

CN=Performersoft LLC, O=Performersoft LLC, L=Beaverton, S=OR, C=US

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

07DAC5F73C6773

File PE Metadata

Compilation timestamp:

9/3/2013 11:51:48 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:iNeZxo4TkgPppRuLVeoKm1s8DCxh/FjJFei:HLo4THh6RKmS8DCxn3ei

Entry address:

0xC2CD

Entry point:

E8, 56, 53, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 28, 77, 42, 00, 00, 75, 18, E8, A1, 4B, 00, 00, 6A, 1E, E8, EB, 49, 00, 00, 68, FF, 00, 00, 00, E8, B1, 2F, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 28, 77, 42, 00, FF, 15, 48, C0, 41, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, 2C, 77, 42, 00, 74, 0D, 53, E8, C7, 2D, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 23, 1E, 00, 00, 89, 30, E8, 1C, 1E, 00, 00, 89... 
[+]

Code size:

107 KB (109,568 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

TCP (HTTP):

Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com (54.221.252.69:80)

Remove de1ozyhv.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.