home

1stbrowser.exe

Installer

SIEN SA

The application 1stbrowser.exe by SIEN SA has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from up.br.bav.baidu.com. While running, it connects to the Internet address www.ibbalance.com on port 443.
Publisher:
S  (signed by SIEN SA)

Product:
Installer

Version:
4.17.4.17

MD5:
5960b5b763b92b985ce36b52812b2725

SHA-1:
89dfd33455d53a0434dbd7fd4114ec0b4ec6c5e1

SHA-256:
c9d770d0abadde713acce8c13cf08b75fbb22395f9ba26d77f64a42dc19fecd5

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
2/24/2025 5:23:07 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Sien (M)
16.7.19.17

File size:
2.1 MB (2,209,384 bytes)

Product version:
4.17.4.17

Copyright:
Copyright (C) 2015

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\1stbrowser.exe

Digital Signature
Signed by:
SIEN SA

Authority:
GlobalSign nv-sa

Valid from:
9/14/2015 9:05:56 AM

Valid to:
9/14/2016 9:05:56 AM

Subject:
CN=SIEN SA, O=SIEN SA, L=Paris, C=FR

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11213DB3C4AD369B17F720086E1BBB7BB700

File PE Metadata
Compilation timestamp:
4/21/2016 10:27:23 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
49152:BpF0vNBmM0vNAlTCL3sWvn1tmIY+oSEPpSbyQUNyIKGY539dsIbgK+aNeSJD+nmi:Bv0vvmM0vNAxCLLvrmP+oSEBSbyfkd52

Entry address:
0x131FA3

Entry point:
E8, A4, 08, 00, 00, E9, 80, FE, FF, FF, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, 5A, F5, FF, FF, F2, E9, DA, FF, FF, FF, 8B, 4D, EC, 33, CD, F2, E8, 49, F5, FF, FF, F2, E9, C9, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 14, 11, 5F, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24...
 
[+]

Code size:
1.6 MB (1,633,792 bytes)

The file 1stbrowser.exe has been seen being distributed by the following URL.

http://up.br.bav.baidu.com/?rh=AFDE8B1B1FBC9B830A443A1923182524&baidusign=26170333&baidurand=20051

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove 1stbrowser.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.