1.tmp.exe

CrossBrowser Installer

CLARALABSOFTWARE

The application 1.tmp.exe by CLARALABSOFTWARE has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from vzbucket.clara-labs.com.
Publisher:
The CrossBrowser Authors  (signed by CLARALABSOFTWARE)

Product:
CrossBrowser Installer

Version:
36.0.1985.138

MD5:
eb1e08a649a1b6e4e86f98370f3908b7

SHA-1:
496dc74f333dfe83777651dc99b68bfb4b317d02

SHA-256:
de77d1352e13b5c8b06e4cfcc7ffc43134db7b50b916d895a0f682864f674cb2

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 5:22:44 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Installer.CLARALABSOFTWARE
15.2.14.6

File size:
36.8 MB (38,540,192 bytes)

Product version:
36.0.1985.138

Copyright:
Copyright 2014 The CrossBrowser Authors. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\1.tmp.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
12/17/2014 2:11:04 PM

Valid to:
12/17/2015 2:11:04 PM

Subject:
CN=CLARALABSOFTWARE, O=CLARALABSOFTWARE, L=Paris, C=FR

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B0709ADBE1F3C

File PE Metadata
Compilation timestamp:
1/15/2015 9:16:45 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:2H7ntT3FVg7OXCo64ROJ/pT2Cw835WWTR7wx04bBFhtTkZbUDRHz3:25jbxXCo6NBtnJby04FSZbaF

Entry address:
0x2168

Entry point:
6A, 00, FF, 15, 90, 40, 40, 00, 50, E8, AD, 08, 00, 00, 59, 50, FF, 15, 7C, 40, 40, 00, CC, 55, 8B, EC, 81, EC, 14, 02, 00, 00, 53, 56, 8B, 75, 14, 85, F6, 0F, 84, BD, 00, 00, 00, FF, 75, 08, 8D, 4D, F8, FF, 75, 0C, FF, 75, 10, E8, 9A, 0C, 00, 00, 8D, 4D, F8, E8, B7, 0C, 00, 00, 84, C0, 0F, 84, 9C, 00, 00, 00, 8D, 4D, F8, E8, AF, 0C, 00, 00, 83, F8, 01, 0F, 82, 8B, 00, 00, 00, 8D, 4D, F8, E8, 9E, 0C, 00, 00, 3D, 00, 00, 00, 40, 77, 7C, FF, 36, 33, C0, BB, 04, 01, 00, 00, 66, 89, 45, F4, 66, 89, 85, EC, FD...
 
[+]

Packer / compiler:
FASM v1.3x

Code size:
8 KB (8,192 bytes)

The file 1.tmp.exe has been seen being distributed by the following URL.

Remove 1.tmp.exe - Powered by Reason Core Security