roboot64.exe

PC Performer

Performersoft LLC

This is part of a Performersoft product, a 'PC optimzation' application that provides minimal benifits and may have been bundled by a third party installer. The application roboot64.exe by Performersoft has been detected as a potentially unwanted program by 8 anti-malware scanners. It bundles additional offers, mostly adware, using the InstallBrain installer, a pay-per-install monetization download manager. InstallBrain will also install a background updater service that will update any installed browser add-ons and plug-ins.
Publisher:
Performersoft LLC  (signed and verified)

Product:
PC Performer

Version:
11.10.1.1

MD5:
5f9f3b0534551815c07f73c03ff84c5f

SHA-1:
b895750cd8da172165aec7583fb543af2c7e80b7

SHA-256:
5f807dbe6e4fec876e7c0b8f16bbe193e758ba237319e38cfb1199162f2c93c5

Scanner detections:
8 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Analysis date:
4/13/2021 6:12:16 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Trash.Gen
7.11.30.172

Boost by Reason
Adware.Performersoft.I
2013.7.26.17

ESET NOD32
Win64/Systweak.A potentially unwanted application
8.7.0.302.0

Malwarebytes
PUP.Optional.PCPerformer.A
v2013.11.25.01

Panda Antivirus
Adware/Ibups
13.12.29.01

Reason Heuristics
PUP.Performersoft.I
14.8.7.22

SUPERAntiSpyware
Trojan.Agent/Gen-Nullo[Short]
10183

VIPRE Antivirus
InstallBrain
23120

File size:
19 KB (19,456 bytes)

Copyright:
Copyright (C) 2011 PerformerSoft LLC, All rights reserved.

Trademarks:
PerformerSoft

Original file name:
PCPerformer.exe

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Common path:
C:\Windows\System32\roboot64.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
6/27/2012 1:28:03 PM

Valid to:
6/27/2015 1:28:03 PM

Subject:
CN=Performersoft LLC, O=Performersoft LLC, L=Beaverton, S=OR, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
07DAC5F73C6773

File PE Metadata
Compilation timestamp:
10/29/2011 4:16:58 AM

OS version:
6.0

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
8.0

CTPH (ssdeep):
384:0rcUlVP5itUrXK3yc/eGq9nYPLDHHP35K:EFl9YYV9GnPo

Entry address:
0x2304

Entry point:
48, 89, 5C, 24, 08, 56, 48, 83, EC, 70, 48, 8D, 0D, AB, F1, FF, FF, E8, 8E, F4, FF, FF, E8, AD, 02, 00, 00, BB, 30, 00, 00, 00, 48, 8D, 4C, 24, 40, 4C, 8B, C3, 33, D2, C6, 84, 24, 88, 00, 00, 00, 00, E8, 49, 0B, 00, 00, 48, 8D, 44, 24, 40, 48, 89, 44, 24, 28, 48, 83, 64, 24, 20, 00, 8D, 4B, D2, 33, D2, 41, B9, 00, 10, 00, 00, 41, B8, 00, 00, 10, 00, 89, 5C, 24, 40, E8, 23, 0A, 00, 00, 48, 85, C0, 48, 89, 05, 21, 23, 00, 00, 75, 11, 48, 8D, 0D, 30, EE, FF, FF, E8, 2B, F4, FF, FF, E9, E4, 00, 00, 00, 33, C9...
 
[+]

Entropy:
6.0398

Code size:
9 KB (9,216 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove roboot64.exe - Powered by Reason Core Security