953e9bba-3efe-4e76-9b73-c1166ffc8f3b.exe

BoBrowser Installer

CLARALABSOFTWARE

The application 953e9bba-3efe-4e76-9b73-c1166ffc8f3b.exe by CLARALABSOFTWARE has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from vzbucket.clara-labs.com.
Publisher:
The BoBrowser Authors  (signed by CLARALABSOFTWARE)

Product:
BoBrowser Installer

Version:
36.0.1985.131

MD5:
f784f16070f7970901dade9efeeb730a

SHA-1:
f012b36b7215412b4cc71a3d795f73985cbf3010

SHA-256:
08306497180901320a4a91d6c269fe8eaf767fd7c02e6efdbbcbda8400ab4cdf

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 4:59:44 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Installer.CLARALABSOFTWARE.e
14.11.21.23

File size:
36.3 MB (38,092,936 bytes)

Product version:
36.0.1985.131

Copyright:
Copyright 2014 The BoBrowser Authors. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\953e9bba-3efe-4e76-9b73-c1166ffc8f3b.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
7/29/2014 10:13:08 AM

Valid to:
7/30/2015 10:13:08 AM

Subject:
CN=CLARALABSOFTWARE, O=CLARALABSOFTWARE, L=Paris, C=FR

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121E6E5C72C946A5248674AB7B56E24B246

File PE Metadata
Compilation timestamp:
10/22/2014 11:36:18 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:bVTRgj4Xc0nnmjS0h6911d9jgTtLH5Z+ITM7MpPf8GCreD50RYT0exl3O3BOF:xTRgcnmG0h2jgTFZEITmMpPkZa0Y3O3g

Entry address:
0x23C0

Entry point:
6A, 00, FF, 15, 90, 50, 40, 00, 50, E8, 82, 09, 00, 00, 83, C4, 04, 50, FF, 15, 7C, 50, 40, 00, CC, CC, CC, CC, CC, CC, CC, CC, 55, 8B, EC, 81, EC, 14, 02, 00, 00, 56, 8B, 75, 14, 85, F6, 75, 09, 33, C0, 5E, 8B, E5, 5D, C2, 10, 00, 57, FF, 75, 08, 8B, 7D, 10, 8D, 4D, F8, FF, 75, 0C, 57, E8, 03, 0E, 00, 00, 8D, 4D, F8, E8, 2B, 0E, 00, 00, 84, C0, 0F, 84, A4, 00, 00, 00, 8D, 4D, F8, E8, 2B, 0E, 00, 00, 83, F8, 01, 0F, 82, 93, 00, 00, 00, 8D, 4D, F8, E8, 1A, 0E, 00, 00, 3D, 00, 00, 00, 40, 0F, 87, 80, 00, 00...
 
[+]

Packer / compiler:
FASM v1.3x

Code size:
9 KB (9,216 bytes)

The file 953e9bba-3efe-4e76-9b73-c1166ffc8f3b.exe has been seen being distributed by the following URL.

Remove 953e9bba-3efe-4e76-9b73-c1166ffc8f3b.exe - Powered by Reason Core Security