CrossriderApp0033693.exe

Facebook theme ch staging

uds

This is the Crossrider web browser extension installer that contains the files for installing a plugin for IE, Chrome and Firefox. It was built by developer (#33693) uds at http://crossrider.com/install/33693. The application CrossriderApp0033693.exe, “Facebook theme ch staging Installer” has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer, however the file is not signed with an authenticode signature from a trusted source. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.
Publisher:
uds

Product:
Facebook theme ch staging

Description:
Facebook theme ch staging Installer

Version:
1.34.5.29

MD5:
b0d35e3968724e6f35152510e2b21c6d

SHA-1:
8f93bff1ba4ca2e2088d08a8811d058f5a37f0f3

SHA-256:
ff51306b889871d35c9ef5992e8bba7225b6afe12d0238a6815685c4423c1f19

Scanner detections:
6 / 68

Status:
Adware

Explanation:
Uses the Crossrider extension framework which may modify the browser's home, new tab and search pages as well as displays advertisements such as banner ads and text-links.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application.

Analysis date:
8/11/2020 3:30:44 PM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
HW32.CDB
1.3.0.4959

ESET NOD32
Win32/Packed.ScrambleWrapper.I potentially unwanted application
7.0.302.0

Malwarebytes
v2014.06.09.03

McAfee
Adware-Crossrider
5600.7105

Reason Heuristics
PUP.Downloader.Installer.U
14.6.9.3

VIPRE Antivirus
Threat.4789396
30086

File size:
3.4 MB (3,575,004 bytes)

Copyright:
Copyright uds

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\downloads\crossriderapp0033693.exe

File PE Metadata
Compilation timestamp:
12/4/2012 5:55:02 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
98304:0bFEj6B8Hcy6FL0jjqZJpFK4hykYquh6UMzzsskPEA6K:6eWBXt2SpFKxkhuhEzmEA3

Entry address:
0x4323

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 44, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 44, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 44, 00, 56, A3, 40, 3B, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 3B, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 44, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Entropy:
7.9915  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The file CrossriderApp0033693.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to stats.statsmyapp.com  (176.32.99.156:80)

TCP (HTTP):
Connects to staging-app.crossrider.com  (149.126.72.103:80)

 
http://staging-app.crossrider.com/plugin/apps/33693/manifest/1_34_5_29/ie9/manifest.xml?ver=15&rnd=6341

Remove CrossriderApp0033693.exe - Powered by Reason Core Security