» ibsvc.exe
Overview
Analysis
File Details
Network (3)

ibsvc.exe

InstallBrain Installer

Performersoft LLC

This is the Performersoft setup installer. The application ibsvc.exe by Performersoft has been detected as a potentially unwanted program by 34 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

ibsvc.exe

Publisher:

InstallBrain (signed by Performersoft LLC)

Product:

InstallBrain Installer

Version:

14,1,1,4

MD5:

c958da808d0981508328089943c74778

SHA-1:

41fccf8a7be575c987c3321c88764da99505f532

SHA-256:

2deea89a2138619071dfa2127491b364cfbd1caf30926f8a04adc2f869aa425a

Scanner detections:

34 / 68

Status:

Potentially unwanted

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/26/2024 12:44:20 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bundler.InstallBrain.A

835

Agnitum Outpost

Adware.BrainInst

7.1.1

Avira AntiVirus

APPL/InstallBrain.Gen5

7.11.141.186

avast!

Win32:InstallBrain-F [PUP]

141003-0

AVG

Potentially harmful program Downloader.ARY

2014.0.4040

Bitdefender

Application.Bundler.InstallBrain.A

1.0.20.1475

Clam AntiVirus

Win.Adware.Installbrain-12

0.98/18355

Comodo Security

ApplicUnwnt.Win32.AdWare.IBrain.C

18066

Dr.Web

Adware.Downware.1295

9.0.1.05190

Emsisoft Anti-Malware

Application.Bundler.InstallBrain

14.10.22

ESET NOD32

Win32/InstallBrain potentially unwanted application

7.0.302.0

Fortinet FortiGate

Adware/BrainInst

10/22/2014

F-Prot

W32/IBrain.B.gen

4.6.5.141

F-Secure

Trojan:W32/InstallBrain.A

11.2014-22-10_4

G Data

Win32.Application.InstallBrain

14.10.24

IKARUS anti.virus

Trojan-Downloader.Win32.Brantall

t3scan.1.6.1.0

K7 AntiVirus

Adware

13.176.11684

Kaspersky

not-a-virus:AdWare.Win32.BrainInst

15.0.0.494

Malwarebytes

Adware.InstallBrain

v2014.10.22.02

McAfee

Artemis!0578C970301F

5600.6969

Microsoft Security Essentials

TrojanDownloader:Win32/Brantall.B

1.10401

MicroWorld eScan

Application.Bundler.InstallBrain.A

15.0.0.885

NANO AntiVirus

Trojan.Win32.Downware.crasga

0.28.0.59048

nProtect

Trojan-Clicker/W32.BrainInst.669216

14.10.22.01

Panda Antivirus

PUP/Ibups

14.10.22.02

Quick Heal

TrojanDownloader.Brantall.A5

10.14.12.00

Reason Heuristics

PUP.Installer.Performersoft.F

14.10.22.14

Rising Antivirus

PE:Malware.InstallBrain!6.E2

23.00.65.141020

Sophos

InstallBrain

4.98

SUPERAntiSpyware

Adware.IBrain

10284

Trend Micro House Call

HV_IBRAIN_CG092A6F.RDXN

7.2.295

Vba32 AntiVirus

AdWare.BrainInst

3.12.26.0

VIPRE Antivirus

InstallBrain

28115

Zillya! Antivirus

Adware.BrainInst.Win32.32

2.0.0.1964

File size:

653.5 KB (669,216 bytes)

Product version:

14,1,1,4

Trademarks:

InstallBrain

File type:

Executable application (Win32 EXE)

Bundler/Installer:

InstallBrain

Language:

English (United States)

Common path:

C:\ProgramData\application data\ibupdaterservice\ibsvc.exe

Digital Signature

Signed by:

Performersoft LLC

Authority:

GoDaddy.com, Inc.

Valid from:

6/27/2012 10:28:03 PM

Valid to:

6/27/2015 10:28:03 PM

Subject:

CN=Performersoft LLC, O=Performersoft LLC, L=Beaverton, S=OR, C=US

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

07DAC5F73C6773

File PE Metadata

Compilation timestamp:

7/11/2012 1:33:39 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:hNpbGph0W2KjUnD0CbEFsifQciGVU22536xIPjtnYkZKiUzd0FHgZgA4WzoxY:Ypn+YQc8oOBYkZKisd0yZgA47Y

Entry address:

0x1ACF3

Entry point:

E8, F1, 36, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF... 
[+]

Code size:

155 KB (158,720 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

TCP (HTTP):

Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com (54.221.252.69:80)

Remove ibsvc.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.