» 4378.exe
Overview
Analysis
File Details
Programs (1)
Downloads (3)
Network (1)

4378.exe

You Two Lab (Extreme White Limited)

The application 4378.exe by You Two Lab (Extreme White Limited) has been detected as a potentially unwanted program by 23 anti-malware scanners. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from 113.171.224.216 and multiple other hosts. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol.

File name:

4378.exe

Publisher:

You Two Lab (Extreme White Limited) (signed and verified)

Version:

106.0.0.0

MD5:

13574f56f4665ffbbc6ea06016476785

SHA-1:

a4f874d5b0cfcccc12359dbca6c9ae7768b3cc7f

SHA-256:

2529cd27da85c0aa6683f4327e67afd59a9432c9567d9ff70f11dd7f72062e68

Scanner detections:

23 / 68

Status:

Potentially unwanted

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:

5/17/2024 6:03:10 PM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.CrossRider

7.1.1

Avira AntiVirus

ADWARE/CrossRider.1977928.6

8.3.1.6

avast!

Win32:Malware-gen

2014.9-150911

AVG

Generic

2016.0.3027

Baidu Antivirus

Adware.Win32.CrossAd

4.0.3.1585

Bkav FE

W32.HfsAdware

1.3.0.6979

Dr.Web

Trojan.Crossrider1.43107

9.0.1.0217

ESET NOD32

Win32/Toolbar.CrossRider.CT potentially unwanted application

9.7.0.302.0

Fortinet FortiGate

W32/AppRider.CT

8/5/2015

G Data

Win32.Application.Agent.C98ETU

15.8.25

herdProtect (fuzzy)

variant of 1731.exe

2015.9.11.15

K7 AntiVirus

Unwanted-Program

13.207.16772

Kaspersky

not-a-virus:HEUR:AdWare.Win32.CrossRider

14.0.0.1628

Malwarebytes

PUP.Optional.Crossbrowse.C

v2015.08.05.11

McAfee

Artemis!13574F56F466

5600.6683

NANO AntiVirus

Trojan.Win32.Crossrider1.ductxr

0.30.24.2668

Qihoo 360 Security

Win32/Virus.Adware.798

1.0.0.1015

Reason Heuristics

PUP.ExtremeWhite.Bundler.Meta (M)

15.8.5.11

Sophos

PUA 'AppRider' (of type Adware)

5.15

Trend Micro

TROJ_GEN.R00UC0OH215

10.465.05

Vba32 AntiVirus

suspected of Trojan.Downloader.gen.h

3.12.26.4

VIPRE Antivirus

Threat.4789396

41424

Zillya! Antivirus

Adware.CrossRider.Win32.14138

2.0.0.2325

File size:

1.9 MB (1,979,976 bytes)

Product version:

106.0.0.0

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\4378.exe

Digital Signature

Signed by:

You Two Lab (Extreme White Limited)

Authority:

COMODO CA Limited

Valid from:

4/15/2015 7:00:00 AM

Valid to:

4/15/2016 6:59:59 AM

Subject:

CN=You Two Lab (Extreme White Limited), O=You Two Lab (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:

CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00DA184DA11A5376568B6099B7928BCCBB

File PE Metadata

Compilation timestamp:

7/14/2015 5:08:52 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

49152:SUg0aCJdW03Ai7vAV3ejTpixTlpS6xizKEWmrEbs14D:bg1CWwAi743assq

Entry address:

0x12D09E

Entry point:

E8, 58, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 24, DE, 5C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, 1E, 5C, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 24, DE, 5C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01... 
[+]

Entropy:

6.6518

Code size:

1.4 MB (1,418,240 bytes)

The file 4378.exe has been discovered within the following program.

Crossbrowse by CLARALABSOFTWARE

87% remove it

The file 4378.exe has been seen being distributed by the following 3 URLs.

http://113.171.224.216/.../installer.exe

http://113.171.224.178/.../installer.exe

http://dl.keyprobox.com/crcb/.../installer.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to tlb.hwcdn.net (69.16.175.42:80)

Remove 4378.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.