home

unzipexpresssetup.exe

Installer

Performersoft LLC

This is the Performersoft setup installer. The application unzipexpresssetup.exe by Performersoft has been detected as a potentially unwanted program by 27 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
Performersoft LLC  (signed and verified)

Product:
Installer

Version:
15.9.28.27

MD5:
2c75a3399163f3a5fd4cd4e2ab59eed3

SHA-1:
9c5e3a5e70c65ff9fc9b5802deaa304a1e4a3f8e

SHA-256:
48d7169bd5237868d9226c071d0c3ca3f69465da7cf8f787575997d60e81431e

Scanner detections:
27 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/26/2024 4:47:05 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.InstallBrain.A
926

Agnitum Outpost
Adware.BrainInst
7.1.1

AhnLab V3 Security
Adware/Win32.BrainInst
2014.07.24

Avira AntiVirus
APPL/InstallBrain.Gen
7.11.163.184

avast!
Win32:Malware-gen
140617-1

AVG
Trojan horse Downloader.Generic13.BPSN
2014.0.3986

Bitdefender
Application.Bundler.InstallBrain.A
1.0.20.1025

Comodo Security
Application.Win32.InstallBrain.AM
18952

Dr.Web
Adware.Downware.1578
9.0.1.05190

ESET NOD32
Win32/InstallBrain.AZ potentially unwanted application
7.0.302.0

F-Prot
W32/A-b601ba44
v6.4.7.1.166

F-Secure
Trojan:W32/InstallBrain.A
11.2014-24-07_5

G Data
Application.Bundler.InstallBrain
14.7.24

IKARUS anti.virus
PUA.PerfSoft
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.181.12819

Kaspersky
Trojan-Downloader.Win32.BrainInst
15.0.0.494

Malwarebytes
Adware.InstallBrain
v2014.07.24.02

McAfee
Artemis!2C75A3399163
5600.7060

Microsoft Security Essentials
Threat.Undefined
1.179.842.0

MicroWorld eScan
Application.Bundler.InstallBrain.A
15.0.0.615

NANO AntiVirus
Trojan.Win32.BrainInst.crdjcu
0.28.2.60990

Panda Antivirus
PUP/Ibups
14.07.24.02

Quick Heal
TrojanDownloader.Brantall.A5
7.14.14.00

Reason Heuristics
PUP.Installer.Performersoft.R
14.8.7.22

Sophos
InstallBrain
4.98

Vba32 AntiVirus
AdWare.BrainInst
3.12.26.3

VIPRE Antivirus
Threat.4759033
31208

File size:
849.9 KB (870,272 bytes)

Product version:
15.9.28.27

Copyright:
Copyright 2012

Original file name:
installer.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
InstallBrain

Common path:
C:\users\{user}\downloads\unzipexpresssetup.exe

Digital Signature
Signed by:
Performersoft LLC

Authority:
GoDaddy.com, Inc.

Valid from:
6/27/2012 11:28:03 PM

Valid to:
6/27/2015 11:28:03 PM

Subject:
CN=Performersoft LLC, O=Performersoft LLC, L=Beaverton, S=OR, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
07DAC5F73C6773

File PE Metadata
Compilation timestamp:
10/28/2013 10:51:19 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:zQmIuzTVMQNFWHhqqAuYvc2JLo3Fp7jy8x+q+X2i46Ona:DzzTaGFWBgJKL7jy8+X2iZOa

Entry address:
0x161A9

Entry point:
E8, D3, 7E, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 2C, 81, 43, 00, 00, 75, 18, E8, 1E, 77, 00, 00, 6A, 1E, E8, 68, 75, 00, 00, 68, FF, 00, 00, 00, E8, 28, 68, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 2C, 81, 43, 00, FF, 15, 60, B0, 42, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, A8, 81, 43, 00, 74, 0D, 53, E8, AD, 39, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 52, 01, 00, 00, 89, 30, E8, 4B, 01, 00, 00, 89...
 
[+]

Code size:
168 KB (172,032 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove unzipexpresssetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.