pm-standalone-setup.exe

Security Analysis Response Script - Automatic Upload

Schlumberger

The application pm-standalone-setup.exe, “Tool for IR Data Collection.” by Schlumberger has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The setup routine uses the RevenYou.Com Pay Per Install platform (OutBrowse) which bundles additional software offers inclduing toolbars, extensions, PC utilities as well as other PUPs. The file has been seen being downloaded from www.secops.slb.com.
Publisher:
Schlumberger Security Operations Team  (signed by Schlumberger)

Product:
Security Analysis Response Script - Automatic Upload

Description:
Tool for IR Data Collection.

Version:
1.0.8.3

MD5:
4ce7f43ebc5234970de6d9accad1d5dd

SHA-1:
0ce49103c8e9824bcb1490243cf5c6b1e5de2f9e

SHA-256:
5c9287436cea86e3fc08ee8332b3064ac0b25481f0c57d08a105463084551fd8

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional adware offers during download and installation using the OutBrowse installer.

Analysis date:
11/24/2024 11:50:31 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

AegisLab AV Signature
Client.Smtp.W32!c
2.1.4+

Baidu Antivirus
Hacktool.Win32.Blat
4.0.3.16311

K7 AntiVirus
Riskware
13.212.18518

Kaspersky
not-a-virus:Client-SMTP.Win32.Blat
14.0.0.533

NANO AntiVirus
Riskware.Win32.PassRecover.czgwgp
1.0.14.5380

Panda Antivirus
Generic Suspicious
16.03.11.10

Quick Heal
ClientSMTP.Blat.r4 (Not a Virus)
3.16.14.00

Rising Antivirus
PE:Malware.Generic(Thunder)!1.A1C4 [F]
23.00.65.16309

Zillya! Antivirus
Downloader.OutBrowse.Win32.3885
2.0.0.2628

File size:
4.3 MB (4,541,984 bytes)

Product version:
1.0.8.3

Copyright:
© 2008-2014 - Unpublished work. All rights reserved.

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\pm-standalone-setup.exe

Digital Signature
Signed by:

Authority:
slb.com

Valid from:
7/23/2014 1:39:22 AM

Valid to:
7/22/2018 1:39:22 AM

Subject:
E=dbusby3@slb.com, CN=IT Security Code Signing Certificate David Busby, OU=IT Security, O=Schlumberger, L=Houston, S=TX, C=US

Issuer:
CN=Schlumberger Corporate Issuing CA1, OU=Schlumberger, O=slb.com, L=Best, S=Brabant, C=NL

Serial number:
339F86ED00000011D379

File PE Metadata
Compilation timestamp:
12/6/2009 5:50:46 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:z9Y02IBnny9CBo75wlKNZmsBD3lZGu5W6n9oL1NY/rGUknwcBgKqYg+/JaQJB8WW:zxnBBodVD3lZG8WuOjY/KUCwebqQ5BHW

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9808

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file pm-standalone-setup.exe has been seen being distributed by the following URL.

Remove pm-standalone-setup.exe - Powered by Reason Core Security