home

2799.exe

York New Labs (Extreme White Limited)

The application 2799.exe by York New Labs (Extreme White Limited) has been detected as a potentially unwanted program by 8 anti-malware scanners. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from download.ewebdomrec.com and multiple other hosts. While running, it connects to the Internet address lb-182-252.above.com on port 80 using the HTTP protocol.
Publisher:
York New Labs (Extreme White Limited)  (signed and verified)

Version:
106.0.0.0

MD5:
425054d7a93763a5f9cdeec608b3e3ca

SHA-1:
968d2fb02cc7837822fca1c726b70a34937abe64

SHA-256:
68737d95fe2374ef91ccd8732f368c2176dc0ab6f6b480d80e94fa9ab84992fa

Scanner detections:
8 / 68

Status:
Potentially unwanted

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
4/19/2024 12:53:34 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.CrossRider
2015.06.18

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

ESET NOD32
Win32/Toolbar.CrossRider.CN potentially unwanted (variant)
9.11800

Malwarebytes
PUP.Optional.Crossbrowse.C
v2015.06.18.06

Panda Antivirus
Trj/Genetic.gen
15.06.18.06

Reason Heuristics
Threat.Win.Reputation.IMP
15.6.18.18

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Crossrider
41208

File size:
1.9 MB (1,957,968 bytes)

Product version:
106.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\2799.exe

Digital Signature
Signed by:
York New Labs (Extreme White Limited)

Authority:
COMODO CA Limited

Valid from:
4/15/2015 1:00:00 AM

Valid to:
4/15/2016 12:59:59 AM

Subject:
CN=York New Labs (Extreme White Limited), O=York New Labs (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00927773AE2A990E6BEB7E5455470BEF66

File PE Metadata
Compilation timestamp:
6/17/2015 10:55:53 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:qfecA1+cHOEBmaByDTcB1kTapSUdNCKToXIu8QHFBC8FTf:MHA1XXBy3cPoB

Entry address:
0x129D2E

Entry point:
E8, 48, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 24, 8E, 5C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, CE, 5B, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 24, 8E, 5C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01...
 
[+]

Entropy:
6.6527

Code size:
1.3 MB (1,402,368 bytes)

The file 2799.exe has been discovered within the following program.

Crossbrowse  by CLARALABSOFTWARE
87% remove it
 
Powered by Should I Remove It?

The file 2799.exe has been seen being distributed by the following 2 URLs.

http://download.ewebdomrec.com/crcb/107/.../installer.exe

http://download.rgbdomsrv.com/crcb/107/.../installer.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to lb-182-252.above.com  (103.224.182.252:80)

Remove 2799.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.