» updfsetup.exe
Overview
Analysis
File Details
Network (2)

updfsetup.exe

Installer

MediaTechSoft Inc.

This is the Performersoft setup installer. The application updfsetup.exe by MediaTechSoft has been detected as adware by 35 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

updfsetup.exe

Publisher:

MediaTechSoft Inc. (signed and verified)

Product:

Installer

Version:

15.9.28.27

MD5:

5d1d2f7c2a6d83c37ca2bd3b0523afd3

SHA-1:

bb81da67ab2a6658c963e4654b0613201930e464

SHA-256:

1b69542a1aa4152740c759c2a400c10569065f01c390888051db13cdd47d45a4

Scanner detections:

35 / 68

Status:

Adware

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

4/26/2024 1:27:34 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bundler.InstallBrain.A

368

Agnitum Outpost

Adware.BrainInst

7.1.1

Avira AntiVirus

TR/Dldr.Brantall.C.13

7.11.173.232

avast!

Win32:InstallBrain-AT [PUP]

2014.9-160201

AVG

Trojan horse Downloader.Generic13

2017.0.2846

Bitdefender

Application.Bundler.InstallBrain.A

1.0.20.160

Bkav FE

W32.HfsAdware

1.3.0.6379

Clam AntiVirus

Win.Adware.Braininst-7

0.98/19418

Comodo Security

Application.Win32.InstallBrain.AO

19593

Dr.Web

Adware.Downware.1295

9.0.1.032

Emsisoft Anti-Malware

Application.Bundler.InstallBrain

8.16.02.01.03

ESET NOD32

Win32/InstallBrain.AF potentially unwanted application

10.7.0.302.0

Fortinet FortiGate

W32/InstallBrain.AN

2/1/2016

F-Prot

W32/A-86618429

v6.4.7.1.166

F-Secure

Application.Bundler.InstallBrain

11.2016-01-02_2

G Data

Application.Bundler.InstallBrain

16.2.24

IKARUS anti.virus

not-a-virus:AdWare.Win32

t3scan.2.2.29

K7 AntiVirus

Unwanted-Program

13.183.13451

Kaspersky

not-a-virus:AdWare.Win32.BrainInst

14.0.0.727

Malwarebytes

Adware.InstallBrain

v2016.02.01.03

McAfee

Artemis!0B19294525FB

5600.6502

Microsoft Security Essentials

Threat.Undefined

1.185.877.0

MicroWorld eScan

Application.Bundler.InstallBrain.A

17.0.0.96

NANO AntiVirus

Trojan.Win32.Downware.cqksvx

0.28.2.62286

Norman

Application.Bundler.InstallBrain.A

11.20160201

Panda Antivirus

Trj/Brantall.A

16.02.01.03

Qihoo 360 Security

Win32/Virus.Adware.375

1.0.0.1015

Quick Heal

TrojanDownloader.Brantall.A5

2.16.14.00

Reason Heuristics

PUP.Performersoft.MediaTechSoft.Bundler (M)

16.2.1.15

Sophos

InstallBrain

4.98

SUPERAntiSpyware

Adware.InstallBrain/Variant

9350

Trend Micro House Call

TROJ_GEN.F47V0812

7.2.32

Vba32 AntiVirus

AdWare.BrainInst

3.12.26.3

VIPRE Antivirus

Threat.4759033

33120

Zillya! Antivirus

Downloader.BrainInst.Win32.25

2.0.0.1929

File size:

720.3 KB (737,568 bytes)

Product version:

15.9.28.27

Original file name:

installer.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

InstallBrain

Language:

English (United States)

Common path:

C:\users\{user}\downloads\updfsetup.exe

Digital Signature

Signed by:

MediaTechSoft Inc.

Authority:

GoDaddy.com, Inc.

Valid from:

3/29/2013 2:18:00 PM

Valid to:

3/29/2016 2:18:00 PM

Subject:

CN=MediaTechSoft Inc., O=MediaTechSoft Inc., L=Beaverton, S=OR, C=US

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

4B870730DE21B9

File PE Metadata

Compilation timestamp:

8/22/2013 8:14:40 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:70tDxZc7TOTkfDo4psKIy2IhVfvxOcMgy/zJ+HbMQ2FxtwOqrgelzz:suqTMs5KIjaVBHMv1EbM4OqrLlzz

Entry address:

0xC05D

Entry point:

E8, F6, 49, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, E8, 55, 42, 00, 00, 75, 18, E8, 41, 42, 00, 00, 6A, 1E, E8, 8B, 40, 00, 00, 68, FF, 00, 00, 00, E8, 3B, 26, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, E8, 55, 42, 00, FF, 15, 58, A0, 41, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, EC, 55, 42, 00, 74, 0D, 53, E8, 8B, 19, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 5D, 19, 00, 00, 89, 30, E8, 56, 19, 00, 00, 89... 
[+]

Code size:

97 KB (99,328 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

Remove updfsetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.