home

rocketpdfsetup.exe

Installer

YellowSoft Inc

This is the Performersoft setup installer. The application rocketpdfsetup.exe by YellowSoft Inc has been detected as adware by 29 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. The setup program bundles additional offers, mostly adware, using the InstallBrain installer, a pay-per-install monetization download manager. InstallBrain will also install a background updater service that will update any installed browser add-ons and plug-ins. The file has been seen being downloaded from www.softologicsa.com. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
YellowSoft Inc  (signed and verified)

Product:
Installer

Version:
15.9.28.27

MD5:
ea6afdfd0564b994c59d77b808e2999a

SHA-1:
440141099d87a72eab28192432023acf8e9d8a1d

SHA-256:
d310deb9318010880e470cdb7a6cd1d15c202221122595dca88423ea91c00572

Scanner detections:
29 / 68

Status:
Adware

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/25/2024 4:20:47 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.InstallBrain.A
951

Agnitum Outpost
Adware.BrainInst
7.1.1

Avira AntiVirus
APPL/InstallBrain.Gen
7.11.157.140

avast!
Win32:Installer-AB [PUP]
140617-1

AVG
Adware AdInstaller.InstallBrain
2014.0.3986

Bitdefender
Application.Bundler.InstallBrain.A
1.0.20.900

Comodo Security
Application.Win32.InstallBrain.AC
18707

Dr.Web
Adware.Downware.1295
9.0.1.05190

ESET NOD32
Win32/InstallBrain.W potentially unwanted application
7.0.302.0

Fortinet FortiGate
Adware/BrainInst
6/29/2014

F-Prot
W32/IBrain.D.gen
4.6.5.141

F-Secure
Application.Bundler.InstallBrain
11.2014-29-06_1

G Data
Application.Bundler.InstallBrain
14.6.24

IKARUS anti.virus
AdWare.InstallBrain
t3scan.1.6.1.0

K7 AntiVirus
Adware
13.180.12553

Kaspersky
not-a-virus:AdWare.Win32.BrainInst
15.0.0.463

Malwarebytes
Adware.InstallBrain
v2014.06.29.06

Microsoft Security Essentials
Threat.Undefined
1.177.1092.0

MicroWorld eScan
Application.Bundler.InstallBrain.A
15.0.0.540

NANO AntiVirus
Trojan.Win32.Downware.crnrmv
0.28.0.60475

Panda Antivirus
PUP/Ibups
14.06.29.06

Quick Heal
TrojanDownloader.Brantall.A5
6.14.14.00

Reason Heuristics
PUP.Installer.YellowSoft.O
14.8.7.20

Rising Antivirus
PE:Malware.InstallBrain!6.1756
23.00.65.14627

Sophos
InstallBrain
4.98

SUPERAntiSpyware
Adware.InstallBrain/Variant
10514

Vba32 AntiVirus
AdWare.BrainInst
3.12.26.3

VIPRE Antivirus
Threat.4759033
29708

Zillya! Antivirus
Adware.BrainInst.Win32.51
2.0.0.1841

File size:
629.8 KB (644,888 bytes)

Product version:
15.9.28.27

Copyright:
Copyright 2012

Original file name:
installer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
InstallBrain

Language:
English (United States)

Common path:
C:\users\{user}\downloads\rocketpdfsetup.exe

Digital Signature
Signed by:
YellowSoft Inc

Authority:
GoDaddy.com, Inc.

Valid from:
9/12/2012 4:45:31 AM

Valid to:
9/12/2015 4:45:31 AM

Subject:
CN=YellowSoft Inc, O=YellowSoft Inc, L=Beaverton, S=OR, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
4EC8FFEF413CDC

File PE Metadata
Compilation timestamp:
3/13/2013 11:52:25 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:IRpNDv/EMB8KXuj6wpGP3552XAJkGmZ0/xheRv6WlWGQEkedDkmHIW:kkkX46XN00/xhEvRlW6ZqW

Entry address:
0x18E77

Entry point:
E8, 74, 50, 00, 00, E9, 89, FE, FF, FF, 6A, 0C, 68, B8, D4, 42, 00, E8, 23, 18, 00, 00, 6A, 0E, E8, 71, 52, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 90, 17, 43, 00, BA, 8C, 17, 43, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A, 04, 50, E8, DD, E8, FF, FF, 59, FF, 76, 04, E8, D4, E8, FF, FF, 59, 83, 66, 04, 00, C7, 45, FC, FE, FF, FF, FF, E8, 0A, 00, 00, 00, E8, 12, 18, 00, 00, C3, 8B, D0, EB, C5, 6A, 0E, E8, 3D, 51, 00, 00, 59, C3, CC, CC, CC, CC, CC, CC...
 
[+]

Code size:
155.5 KB (159,232 bytes)

The file rocketpdfsetup.exe has been seen being distributed by the following URL.

http://www.softologicsa.com/.../n00wi?exename=RocketPDFSetup&cid=4019&lang=de&gclid=CN225rHRhrYCFcRQ3god2B0ANw

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove rocketpdfsetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.