home

ibsvc.exe

InstallBrain Installer

Performersoft LLC

This is the Performersoft setup installer. The application ibsvc.exe by Performersoft has been detected as a potentially unwanted program by 39 anti-malware scanners. The program is a setup application that uses the InstallBrain installer. This is the uninstaller utility registered in the Windows Control Panel for the program InstallBrain Updater Service. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent. The file has been seen being downloaded from www.performersoft.com. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
InstallBrain  (signed by Performersoft LLC)

Product:
InstallBrain Installer

Version:
11,6,20,2

MD5:
3a298b09a83309e0e1e9b32d2a47cc33

SHA-1:
e4aff0ba9d7c8f2b3623db0c3b2d8279f8c64499

SHA-256:
0d92e404dfb563b759e31c799b347c34270887a312c562002070041cdd8cd51c

Scanner detections:
39 / 68

Status:
Potentially unwanted

Explanation:
May bundle additional potentially unwanted software such as adware during setup.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
5/3/2024 4:12:39 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.InstallBrain.A
358

Agnitum Outpost
Trojan.Obfuscated
7.1.1

AhnLab V3 Security
PUP/Win32.BundleInstaller
2014.10.26

Avira AntiVirus
ADWARE/Adware.Gen
7.11.30.172

avast!
Adware-gen [Adw]
2014.9-160211

AVG
Adware InstallBrain.E
2017.0.2836

Baidu Antivirus
Adware.Win32.BrainInst
4.0.3.16211

Bitdefender
Application.Bundler.InstallBrain.A
1.0.20.210

Bkav FE
W32.Clod05d.Trojan
1.3.0.4959

Clam AntiVirus
Trojan.Agent-294202
0.98/21155

Comodo Security
ApplicUnwnt.Win32.AdWare.IBrain.B
18456

Dr.Web
Adware.Downware.281
9.0.1.042

Emsisoft Anti-Malware
Trojan.Win32.InstallBrain.AMN!A2
8.16.02.11.03

ESET NOD32
Win32/InstallBrain.AW potentially unwanted application
10.7.0.302.0

Fortinet FortiGate
W32/Obfuscated.NEV!tr
2/11/2016

F-Prot
W32/IBrain.A.gen
v6.4.6.5.141

F-Secure
Application.Bundler.InstallBrain
11.2016-11-02_5

G Data
Application.Bundler.InstallBrain
16.2.24

IKARUS anti.virus
Trojan-Downloader.Win32.Brantall
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.1712333

Kaspersky
not-a-virus:AdWare.Win32.BrainInst
14.0.0.677

Malwarebytes
Adware.InstallBrain
v2016.02.11.03

McAfee
Artemis!C6727CF3AF19
5600.6492

Microsoft Security Essentials
Threat.Undefined
1.175.1935.0

MicroWorld eScan
Application.Bundler.InstallBrain.A
17.0.0.126

NANO AntiVirus
Riskware.Win32.Downware.vpsbt
0.28.0.60253

nProtect
Trojan-Clicker/W32.BrainInst.373728
14.05.23.01

Panda Antivirus
PUP/Ibups
16.02.11.03

Qihoo 360 Security
Win32/Trojan.84e
1.0.0.1015

Quick Heal
TrojanDownloader.Brantall
2.16.12.00

Reason Heuristics
PUP.Performersoft.InstallBrain.Installer (M)
16.2.11.15

Rising Antivirus
PE:Trojan.Obfuscated!6.357
23.00.65.16209

Sophos
InstallBrain
4.94

SUPERAntiSpyware
Trojan.Agent/Gen-Obfuscator
9330

Total Defense
Win32/Tnega.aEfTZDD
37.0.10982

Trend Micro House Call
HV_INSTALLBRAIN_CA225D33.TOMC
7.2.42

Vba32 AntiVirus
Malware-Cryptor.Inject.gen
3.12.26.0

VIPRE Antivirus
Threat.4759033
29708

Zillya! Antivirus
Backdoor.Pigeon.Win32.880
2.0.0.1905

File size:
307.4 KB (314,808 bytes)

Product version:
11,6,20,2

Copyright:
Copyright 2011

Trademarks:
InstallBrain

File type:
Executable application (Win32 EXE)

Bundler/Installer:
InstallBrain

Language:
English (United States)

Common path:
C:\ProgramData\ibupdaterservice\ibsvc.exe

Digital Signature
Signed by:
Performersoft LLC

Authority:
GoDaddy.com, Inc.

Valid from:
7/13/2011 3:38:26 PM

Valid to:
6/25/2012 8:20:46 PM

Subject:
CN=Performersoft LLC, O=Performersoft LLC, L=Beaverton, S=OR, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
277B96F94D20C1

File PE Metadata
Compilation timestamp:
12/21/2011 2:53:58 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:QIuDEqpfZtKgPYo75ozG3aP3DJH7aRODhLUfbAdOweQbZdGs8CUBkKzu3BYbyBVr:4Xp3erP3fqMldhTOboVuoS9dni

Entry address:
0xC1B90

Entry point:
60, BE, 00, 80, 48, 00, 8D, BE, 00, 90, F7, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, B7, F8, 0B, 00, 57, 83, C3, 04, 53, 68, 80, 9B, 03, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Code size:
236 KB (241,664 bytes)

Program Uninstaller
Program name:
InstallBrain Updater Service

Display version:
11,6,20,2

Uninstall string:
"C:\ProgramData\IBUpdaterService\ibsvc.exe" /UNINSTALL


The file ibsvc.exe has been seen being distributed by the following URL.

http://www.performersoft.com/.../DriverPerformer_RHDF.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):
Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com  (54.221.252.69:80)

Remove ibsvc.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.