» videoperformersetup.exe
Overview
Analysis
File Details
Downloads (1)
Network (3)

videoperformersetup.exe

Installer

PPCTechSoft Inc.

This is the Performersoft setup installer. The application videoperformersetup.exe by PPCTechSoft has been detected as adware by 29 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from www.softologicsc.com. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

Publisher:

PPCTechSoft Inc. (signed and verified)

Product:

Installer

Version:

15.9.28.27

MD5:

c01d0037bfbe391e79a304e797abd1a0

SHA-1:

4987934a1ba6316364f36140fbe4b43959cc1801

SHA-256:

4edb40e7293d560bb11b2f0e6604893e476644db7ccc330ceb77eb279a420357

Scanner detections:

29 / 68

Status:

Adware

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

4/25/2024 6:02:40 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bundler.InstallBrain.A

372

Agnitum Outpost

Trojan.DL.Brantall

7.1.1

Avira AntiVirus

TR/Dropper.Gen

7.11.30.172

avast!

Win32:Installer-AG [PUP]

2014.9-160128

AVG

Downloader.Generic13

2017.0.2850

Bitdefender

Application.Bundler.InstallBrain.A

1.0.20.140

Clam AntiVirus

Win.Trojan.Graftor-1868

0.98/19786

Comodo Security

Application.Win32.InstallBrain.BE

20383

Dr.Web

Adware.Downware.1522

9.0.1.028

Emsisoft Anti-Malware

Application.Bundler.InstallBrain

8.16.01.28.01

ESET NOD32

Win32/InstallBrain.BE potentially unwanted application

10.7.0.302.0

F-Prot

W32/A-d5dfbac3

v6.4.7.1.166

F-Secure

Riskware.Application.Bundler.InstallBrain

11.2016-28-01_5

G Data

Application.Bundler.InstallBrain

16.1.24

IKARUS anti.virus

PUA.Brantall

t3scan.1.8.5.0

K7 AntiVirus

Unwanted-Program

13.187.14339

Kaspersky

not-a-virus:AdWare.Win32.BrainInst

14.0.0.747

Malwarebytes

PUP.Optional.InstallBrain.A

v2016.01.28.01

Microsoft Security Essentials

Threat.Undefined

1.189.2207.0

MicroWorld eScan

Application.Bundler.InstallBrain.A

17.0.0.84

NANO AntiVirus

Trojan.Win32.Downware.ctlrbr

0.28.6.64267

Norman

Application.Bundler.InstallBrain.A

11.20160128

Panda Antivirus

Trj/Genetic.gen

16.01.28.01

Quick Heal

TrojanDownloader.Brantall.A5

1.16.14.00

Reason Heuristics

PUP.Performersoft.PPCTechSoft.Bundler (M)

16.1.28.13

Sophos

PUA 'InstallBrain'

Vba32 AntiVirus

AdWare.BrainInst

3.12.26.3

VIPRE Antivirus

Threat.4150696

35418

Zillya! Antivirus

Backdoor.PePatch.Win32.42730

2.0.0.2007

File size:

837.6 KB (857,656 bytes)

Product version:

15.9.28.27

Original file name:

installer.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

InstallBrain

Language:

English (United States)

Common path:

C:\users\{user}\downloads\videoperformersetup.exe

Digital Signature

Signed by:

PPCTechSoft Inc.

Authority:

GoDaddy.com, Inc.

Valid from:

3/29/2013 11:18:32 AM

Valid to:

3/29/2016 11:18:32 AM

Subject:

CN=PPCTechSoft Inc., O=PPCTechSoft Inc., L=Beaverton, S=OR, C=US

Issuer:

SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

0782D382C7277D

File PE Metadata

Compilation timestamp:

11/12/2013 7:48:21 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:v76nTTUTAGla61K/HoLhLIUkVM8N0RMj2V:uUTAC/1KQFI9M+bU

Entry address:

0x1561F

Entry point:

E8, 5E, 43, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 80, C4, 42, 00, 00, 75, 18, E8, A9, 3B, 00, 00, 6A, 1E, E8, F3, 39, 00, 00, 68, FF, 00, 00, 00, E8, 30, 31, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40, 50, 6A, 00, FF, 35, 80, C4, 42, 00, FF, 15, F8, 20, 42, 00, 8B, F8, 85, FF, 75, 26, 6A, 0C, 5E, 39, 05, 84, C4, 42, 00, 74, 0D, 53, E8, 80, 24, 00, 00, 59, 85, C0, 75, A9, EB, 07, E8, 00, 05, 00, 00, 89, 30, E8, F9, 04, 00, 00, 89... 
[+]

Entropy:

7.7256 (probably packed)

Code size:

131.5 KB (134,656 bytes)

The file videoperformersetup.exe has been seen being distributed by the following URL.

http://www.softologicsc.com/.../$mMorZpA3IwZhuCUc?exename=VideoPerformerSetup&cid=4200&tid=EI_g1049999l516482s1357p150046t281854m2418268c7379180_503d11-58066105-2fe0c0c-6b3c6b5-30fc3a00_lax1CNbTvrOk2artDhACGMG2nLnTm9u9QyILOTguODAuNjUuNDEoAQ..

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

TCP (HTTP):

Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com (54.221.252.69:80)

Remove videoperformersetup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.