wall2gosetup.exe

InstallBrain Installer

Performersoft LLC

This is the Performersoft setup installer. The application wall2gosetup.exe by Performersoft has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the InstallBrain installer. The setup program bundles additional offers, mostly adware, using the InstallBrain installer, a pay-per-install monetization download manager. InstallBrain will also install a background updater service that will update any installed browser add-ons and plug-ins.
Publisher:
InstallBrain  (signed by Performersoft LLC)

Product:
InstallBrain Installer

Version:
14,1,1,3

MD5:
0659e0df48090159d2828d8fc5e1c1d5

SHA-1:
113e64e151a0c24b7b4f76a6df96701faf2fd71c

SHA-256:
45c861118fd26daff6faf3ea46c465eab060b7263912abf72afb0be4c0c35853

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/23/2024 9:51:07 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Performersoft.InstallBrain.Installer (M)
16.2.7.15

File size:
387 KB (396,248 bytes)

Product version:
14,1,1,3

Copyright:
Copyright 2011

Trademarks:
InstallBrain

File type:
Executable application (Win32 EXE)

Bundler/Installer:
InstallBrain

Language:
English (United States)

Common path:
C:\users\{user}\downloads\wall2gosetup.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
7/13/2011 3:38:26 PM

Valid to:
6/25/2012 8:20:46 PM

Subject:
CN=Performersoft LLC, O=Performersoft LLC, L=Beaverton, S=OR, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
277B96F94D20C1

File PE Metadata
Compilation timestamp:
5/10/2012 4:27:56 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:X9xZ5yN3Cwaw//ikDju436I26h+OoS9OtE:X9vsky/7NKDm+1E

Entry address:
0x13C7F0

Entry point:
60, BE, 00, F0, 4E, 00, 8D, BE, 00, 20, F1, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, EE, A1, 13, 00, 57, 83, C3, 04, 53, 68, ED, D7, 04, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Code size:
316 KB (323,584 bytes)

The file wall2gosetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

TCP (HTTP):

Remove wall2gosetup.exe - Powered by Reason Core Security