» fauaaicx.exe
Overview
Analysis
File Details
Network (2)

fauaaicx.exe

Installer

Performersoft LLC

This is the Performersoft setup installer. The file fauaaicx.exe by Performersoft has been detected as a potentially unwanted program by 32 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

fauaaicx.exe

Publisher:

Performersoft LLC (signed and verified)

Product:

Installer

Version:

15.9.28.27

MD5:

379826c1e56ab639430b7181bc07201c

SHA-1:

389cc654417f744947afeb9da652f3f6ba3e8197

SHA-256:

29a04847e47b581605c1a481512f27a7d99ce13d8615b7015493003495dfc4d9

Scanner detections:

32 / 68

Status:

Potentially unwanted

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

4/25/2024 10:16:03 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bundler.InstallBrain.A

5823004

Agnitum Outpost

Trojan.Adware

7.1.1

AhnLab V3 Security

PUP/Win32.BrainInst

2014.11.22

Avira AntiVirus

APPL/InstallBrain.Gen

7.11.188.28

avast!

Win32:Malware-gen

141119-1

AVG

Downloader.Generic13

2015.0.3283

Bitdefender

Application.Bundler.InstallBrain.A

1.0.20.1625

Clam AntiVirus

Win.Adware.Installbrain-480

0.98/21511

Comodo Security

Application.Win32.InstallBrain.AG

20156

Dr.Web

Adware.Downware.1492

9.0.1.05190

Emsisoft Anti-Malware

Application.Bundler.InstallBrain

9.0.0.4570

ESET NOD32

Win32/InstallBrain.AS potentially unwanted application

7.0.302.0

F-Prot

W32/A-b601ba44

v6.4.7.1.166

F-Secure

Trojan:W32/InstallBrain.A

11.2014-21-11_6

G Data

Application.Bundler.InstallBrain

14.11.24

K7 AntiVirus

Unwanted-Program

13.185.14098

Kaspersky

not-a-virus:HEUR:AdWare.Win32.BrainInst

15.0.0.543

Malwarebytes

Adware.InstallBrain

v2014.11.21.10

Microsoft Security Essentials

Threat.Undefined

1.189.439.0

MicroWorld eScan

Application.Bundler.InstallBrain.A

15.0.0.975

NANO AntiVirus

Riskware.Win32.BrainInst.crchst

0.28.6.63474

nProtect

Trojan-Clicker/W32.BrainInst.817536

14.11.21.01

Panda Antivirus

PUP/Ibups

14.11.21.10

Qihoo 360 Security

Malware.QVM10.Gen

1.0.0.1015

Quick Heal

TrojanDownloader.Brantall.A5

11.14.14.00

Reason Heuristics

PUP.Installer.Performersoft.M

14.11.21.22

Sophos

InstallBrain

4.98

SUPERAntiSpyware

Adware.InstallBrain/Variant

10223

Total Defense

Win32/Tnega.NDWdWG

37.0.11291

Vba32 AntiVirus

AdWare.BrainInst

3.12.26.3

VIPRE Antivirus

InstallBrain

35008

Zillya! Antivirus

Downloader.BrainInst.Win32.15

2.0.0.1990

File size:

798.4 KB (817,536 bytes)

Product version:

15.9.28.27

Original file name:

installer.exe

Bundler/Installer:

InstallBrain

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\fauaaicx.exe.part

Digital Signature

Signed by:

Performersoft LLC

Authority:

GoDaddy.com, Inc.

Valid from:

6/27/2012 4:28:03 PM

Valid to:

6/27/2015 4:28:03 PM

Subject:

CN=Performersoft LLC, O=Performersoft LLC, L=Beaverton, S=OR, C=US

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

07DAC5F73C6773

File PE Metadata

Compilation timestamp:

9/20/2013 7:20:26 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:a5qQTl4G1RcOQok7o93YbFJJGCcP7lxOyOi7Rd3NY:aQQT6GEOyo9kFLtcP7lxLnL3G

Entry address:

0xD6BD

Entry point:

E8, 62, 4C, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 24, 67, 42, 00, 00, 75, 18, E8, AD, 44, 00, 00, 6A, 1E, E8, F7, 42, 00, 00, 68, FF, 00, 00, 00, E8, 31, 26, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 24, 67, 42, 00, FF, 15, 58, B0, 41, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, 28, 67, 42, 00, 74, 0D, 53, E8, 81, 19, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 53, 19, 00, 00, 89, 30, E8, 4C, 19, 00, 00, 89... 
[+]

Entropy:

7.8003 (probably packed)

Code size:

104 KB (106,496 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

Remove fauaaicx.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.