» rocketpdfsetup.exe
Overview
Analysis
File Details
Downloads (2)
Network (2)

rocketpdfsetup.exe

Installer

We Code Good Inc.

This is the Performersoft setup installer. The application rocketpdfsetup.exe by We Code Good has been detected as adware by 35 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from www.softologicsa.com and multiple other hosts. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

rocketpdfsetup.exe

Publisher:

We Code Good Inc. (signed and verified)

Product:

Installer

Version:

15.9.28.27

MD5:

d28fe1f0b440834f61c02fc3626c235b

SHA-1:

705cefbf1415e92aec2d102fb88cc43669d0f5be

SHA-256:

114bc2893948f5311acd7fac37758134a716a753ad28bcd4a3c5af61380b27e9

Scanner detections:

35 / 68

Status:

Adware

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/19/2024 7:10:08 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bundler.InstallBrain.A

919

Agnitum Outpost

Trojan.DL.Brantall

7.1.1

AhnLab V3 Security

Adware/Win32.BrainInst

2014.06.29

Avira AntiVirus

APPL/InstallBrain.AH

7.11.140.200

avast!

Win32:InstallBrain-AN [PUP]

2014.9-140731

AVG

Downloader.Generic13

2015.0.3397

Bitdefender

Application.Bundler.InstallBrain.A

1.0.20.1060

Clam AntiVirus

Win.Adware.Agent-6878

0.98/21411

Comodo Security

Application.Win32.InstallBrain.AH

18034

Dr.Web

Adware.Downware.1458

9.0.1.0212

Emsisoft Anti-Malware

Gen:Variant.Kazy.284891

8.14.07.31.11

ESET NOD32

Win32/InstallBrain.AP (variant)

8.9624

Fortinet FortiGate

Riskware/InstallBrain

7/31/2014

F-Prot

W32/IBrain.G.gen

v6.4.6.5.141

F-Secure

Application.Bundler.InstallBrain

11.2014-31-07_5

G Data

Win32.Application.InstallBrain

14.7.24

IKARUS anti.virus

AdWare.BrainInst

t3scan.2.2.29

K7 AntiVirus

Unwanted-Program

13.176.11584

Kaspersky

not-a-virus:HEUR:AdWare.Win32.BrainInst

14.0.0.3478

Malwarebytes

Adware.InstallBrain

v2014.07.31.11

McAfee

Artemis!D28FE1F0B440

5600.7053

Microsoft Security Essentials

TrojanDownloader:Win32/Brantall.A

1.10401

MicroWorld eScan

Application.Bundler.InstallBrain.A

15.0.0.636

NANO AntiVirus

Riskware.Win32.BrainInst.cqttfb

0.28.0.58873

nProtect

Trojan-Downloader/W32.BrainInst.755136

14.06.27.01

Panda Antivirus

Trj/OCJ.D

14.07.31.11

Qihoo 360 Security

Win32/Virus.Adware.375

1.0.0.1015

Quick Heal

TrojanDownloader.Brantall.A5

7.14.12.00

Reason Heuristics

PUP.Installer.WeCodeGood.O

14.8.7.17

Sophos

InstallBrain

4.98

Total Defense

Win32/Tnega.LVcHJRC

37.0.10853

Trend Micro House Call

TROJ_GEN.F47V0207

7.2.212

Vba32 AntiVirus

AdWare.BrainInst

3.12.24.3

VIPRE Antivirus

InstallBrain

27946

Zillya! Antivirus

Adware.Agent.Win32.8750

2.0.0.1840

File size:

722.3 KB (739,648 bytes)

Product version:

15.9.28.27

Original file name:

installer.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

InstallBrain

Language:

English (United States)

Common path:

C:\users\{user}\downloads\rocketpdfsetup.exe

Digital Signature

Signed by:

We Code Good Inc.

Authority:

GoDaddy.com, Inc.

Valid from:

11/1/2012 6:20:37 PM

Valid to:

11/1/2015 6:20:37 PM

Subject:

CN=We Code Good Inc., O=We Code Good Inc., L=Beaverton, S=OR, C=US

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

4EEF3A85620395

File PE Metadata

Compilation timestamp:

9/3/2013 6:51:48 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:CEGLNNedbx5+dOTCBg22BiaBhk7kWI7yixQnUNlOTYcIQjIYbYbOOvwaQM5ncEBA:iNeZxo4TCuFcyhk7MLqMlOkcIYFOvVur

Entry address:

0xC2CD

Entry point:

E8, 56, 53, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 28, 77, 42, 00, 00, 75, 18, E8, A1, 4B, 00, 00, 6A, 1E, E8, EB, 49, 00, 00, 68, FF, 00, 00, 00, E8, B1, 2F, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 28, 77, 42, 00, FF, 15, 48, C0, 41, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, 2C, 77, 42, 00, 74, 0D, 53, E8, C7, 2D, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 23, 1E, 00, 00, 89, 30, E8, 1C, 1E, 00, 00, 89... 
[+]

Code size:

107 KB (109,568 bytes)

The file rocketpdfsetup.exe has been seen being distributed by the following 2 URLs.

http://www.softologicsa.com/.../n00wi?exename=RocketPDFSetup&cid=4019&lang=pt

http://www.softologicsa.com/.../n00wi?exename=RocketPDFSetup&cid=4019&lang=pt#access

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

Remove rocketpdfsetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.