e3303319-c48b-4f82-b0c9-dc3dacf1d8f1.exe

BoBrowser Installer

ClaraLabSoftware

The application e3303319-c48b-4f82-b0c9-dc3dacf1d8f1.exe by ClaraLabSoftware has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from vzbucket.clara-labs.com.
Publisher:
The BoBrowser Authors  (signed by ClaraLabSoftware)

Product:
BoBrowser Installer

Version:
42.0.2311.113

MD5:
49f1276396ed2a83ef8939323ce149cc

SHA-1:
e2211e6cf80fe0a769a91a0b1d898f22e17386dd

SHA-256:
5b945512895a4b9550a275bc3efb4b24f4dd5182cf7d24c41cecf2f4bdab72aa

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/5/2024 3:34:20 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ClaraLab.Installer (M)
16.3.19.18

File size:
39 MB (40,885,880 bytes)

Product version:
42.0.2311.113

Copyright:
Copyright 2014 The BoBrowser Authors. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\e3303319-c48b-4f82-b0c9-dc3dacf1d8f1.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
1/19/2015 10:40:38 PM

Valid to:
1/20/2016 10:40:38 PM

Subject:
CN=ClaraLabSoftware, O=ClaraLabSoftware, L=Paris, C=FR

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112123154E5E0FD1C6C84C77F8890B7472E0

File PE Metadata
Compilation timestamp:
10/14/2015 7:58:51 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:irntFF7Lp3j3rg3lS1XFZEpIyAsffVlBlPLDR82S8zY:YtF9pz3rkCFqpIyAsJFDR82SgY

Entry address:
0x209E

Entry point:
6A, 00, FF, 15, A4, 40, 40, 00, 50, E8, FC, 08, 00, 00, 59, 50, FF, 15, 90, 40, 40, 00, CC, 55, 8B, EC, 81, EC, 14, 02, 00, 00, 53, 56, 8B, 75, 14, 85, F6, 0F, 84, BE, 00, 00, 00, FF, 75, 08, 8D, 4D, F8, FF, 75, 0C, FF, 75, 10, E8, BB, 0C, 00, 00, 8D, 4D, F8, E8, D8, 0C, 00, 00, 84, C0, 0F, 84, 9D, 00, 00, 00, 8D, 4D, F8, E8, D0, 0C, 00, 00, 83, F8, 01, 0F, 82, 8C, 00, 00, 00, 8D, 4D, F8, E8, BF, 0C, 00, 00, 3B, 05, F4, 14, 40, 00, 77, 7C, FF, 36, 33, C0, BB, 04, 01, 00, 00, 66, 89, 45, F4, 66, 89, 85, EC...
 
[+]

Entropy:
8.0000

Packer / compiler:
FASM v1.3x

Code size:
8 KB (8,192 bytes)

The file e3303319-c48b-4f82-b0c9-dc3dacf1d8f1.exe has been seen being distributed by the following URL.

Remove e3303319-c48b-4f82-b0c9-dc3dacf1d8f1.exe - Powered by Reason Core Security