» 1stbrowser.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Downloads (2)
Network (20)

1stbrowser.exe

1stBrowser

SIEN SA

The application 1stbrowser.exe by SIEN SA has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It runs as a scheduled task under the Windows Task Scheduler named 1stbrowser. This file is typically installed with the program 1stBrowser by Sien S.A.. The file has been seen being downloaded from openload.co and multiple other hosts. While running, it connects to the Internet address 189-76-142-72.ntelecom.com.br on port 80 using the HTTP protocol.

File name:

1stbrowser.exe

Publisher:

The 1stBrowser Authors (signed by SIEN SA)

Product:

1stBrowser

Version:

45.0.2454.167

MD5:

6be4c974467a8117c9c6d177c0b8ec91

SHA-1:

ff77a626698b7382370b933a13ebf37d6c1b700f

SHA-256:

c114e90142e0055bca0d8a1f8fef05b4e359b2cb82d46d71a20db342c928aa6d

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

11/26/2024 10:07:35 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Sien.SIENSA (M)

16.5.11.19

File size:

852.1 KB (872,568 bytes)

Product version:

45.0.2454.167

Original file name:

chrome.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\1stbrowser\application\1stbrowser.exe

Digital Signature

Signed by:

SIEN SA

Authority:

GlobalSign nv-sa

Valid from:

9/14/2015 2:05:56 PM

Valid to:

9/14/2016 2:05:56 PM

Subject:

CN=SIEN SA, O=SIEN SA, L=Paris, C=FR

Issuer:

CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:

11213DB3C4AD369B17F720086E1BBB7BB700

File PE Metadata

Compilation timestamp:

5/10/2016 5:44:42 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

12288:clqf0IasEINm593V4vxCTm2boiybNoD2UEtQEkzsBrjMlbxaXy+J++UHOxYaRA9:clrgYbHIXSuRI

Entry address:

0x42A54

Entry point:

E8, C0, 95, 00, 00, E9, 7F, FE, FF, FF, CC, CC, 8B, 44, 24, 08, 8B, 4C, 24, 10, 0B, C8, 8B, 4C, 24, 0C, 75, 09, 8B, 44, 24, 04, F7, E1, C2, 10, 00, 53, F7, E1, 8B, D8, 8B, 44, 24, 08, F7, 64, 24, 14, 03, D8, 8B, 44, 24, 08, F7, E1, 03, D3, 5B, C2, 10, 00, 55, 8B, EC, 83, EC, 14, 53, 56, 33, DB, 57, 8B, 7D, 08, 89, 5D, F8, 89, 5D, F4, 89, 5D, FC, 85, FF, 75, 18, E8, F0, 13, 00, 00, 6A, 16, 5E, 89, 30, E8, 83, D0, FF, FF, 8B, C6, 5F, 5E, 5B, 8B, E5, 5D, C3, 6A, 24, 68, FF, 00, 00, 00, 57, E8, BC, F9, FF, FF... 
[+]

Code size:

368 KB (376,832 bytes)

Scheduled Task

Task name:

1stbrowser

Trigger:

Registration (Runs on registration)

The file 1stbrowser.exe has been discovered within the following programs.

1stBrowser by Sien S.A.

About 3% of users remove it

The file 1stbrowser.exe has been seen being distributed by the following 2 URLs.

https://openload.co/.../Frm9NCAL4-g~1470246313~186.125.0.0~-EXxL0N8

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-bzrBi6UWgUbyh12gmDWL1bjKsEsn2ClRWHSmObrUNre7lXiudZiUJ1G9Q4tkJX8U-OZtZrw2rULBXQ-scIJXZQ/messages/@.id==AAN3w0MAEZRWV_uTbgnAGCI0QU4/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=640507aa-4133-9618-015a-c5005e010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBZOsDvyIUm5QvMm8lkdVTn8EzUsPd9QBsU4hzr5pNTkAODtbetMcWSCWFFU_lefl1M6y0cZDZK87O4GU8LnZAz6&error=https://mg.mail.yahoo.com/.../iframemsg?id=cb996e35-badf-a30f-ed67-dfed395fe6bf

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to ec2-23-23-112-220.compute-1.amazonaws.com (23.23.112.220:443)

TCP (HTTP):

Connects to ec2-52-55-12-167.compute-1.amazonaws.com (52.55.12.167:80)

TCP (HTTP SSL):

Connects to xx-fbcdn-shv-01-gru2.fbcdn.net (31.13.85.4:443)

TCP (HTTP SSL):

Connects to edge-star-mini-shv-01-gru2.facebook.com (31.13.85.36:443)

TCP (HTTP SSL):

Connects to edge-video-shv-01-gru2.fbcdn.net (31.13.85.15:443)

TCP (HTTP):

Connects to ec2-107-23-60-50.compute-1.amazonaws.com (107.23.60.50:80)

TCP (HTTP):

Connects to i0-h0-s4.p0-gig.cdngp.net (174.35.87.69:80)

TCP (HTTP):

Connects to i0-h0-s1056.p0-mia.cdngp.net (174.35.36.89:80)

TCP (HTTP):

Connects to i0-h0-s1045.p0-mia.cdngp.net (174.35.36.78:80)

TCP (HTTP):

Connects to i0-h0-s1006.p0-mia.cdngp.net (174.35.36.11:80)

TCP (HTTP):

Connects to i0-h0-s2.p0-gig.cdngp.net (174.35.87.67:80)

TCP (HTTP SSL):

Connects to edge-z-m-mini-shv-01-gru2.facebook.com (31.13.85.37:443)

TCP (HTTP SSL):

Connects to edge-atlas-shv-01-gru2.facebook.com (31.13.85.1:443)

TCP (HTTP SSL):

Connects to edge-star-shv-01-gru2.facebook.com (31.13.85.8:443)

TCP (HTTP):

Connects to ec2-52-207-48-5.compute-1.amazonaws.com (52.207.48.5:80)

TCP (HTTP SSL):

Connects to server-52-84-174-242.gru50.r.cloudfront.net (52.84.174.242:443)

TCP (HTTP SSL):

Connects to edge-star-mini-shv-02-gru2.facebook.com (157.240.12.35:443)

TCP (HTTP SSL):

Connects to cache.google.com (179.97.41.53:443)

TCP (HTTP SSL):

Connects to a23-10-247-57.deploy.static.akamaitechnologies.com (23.10.247.57:443)

TCP (HTTP):

Connects to 189-76-142-72.ntelecom.com.br (189.76.142.72:80)

Remove 1stbrowser.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.