home

setup.exe

GoHD

City Road labs (Extreme White Limited)

The application setup.exe by City Road labs (Extreme White Limited) has been detected as adware by 24 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from dl.ourinputinfonet.com and multiple other hosts.
Publisher:
InstallMoon  (signed by City Road labs (Extreme White Limited))

Product:
GoHD

Description:
GoHD Installer

Version:
1.36.01.22

MD5:
34d7eb2a201f45baa675f8c5d829ad56

SHA-1:
0a0b4d45d6ee1bcc3a4f14539ea1d67fc4a4083b

SHA-256:
a650274251ba57740c92dc61440cd514303925845b05b5eb2111edcfc4b1814d

Scanner detections:
24 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
5/6/2024 1:46:37 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Generic.1249134
482

Agnitum Outpost
Riskware.ScrambleWrapper
7.1.1

AhnLab V3 Security
PUP/Win32.CrossRider
2015.07.14

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

avast!
Win32:ScrambleWrapper-A [PUP]
2014.9-151010

AVG
AdLoad
2016.0.2960

Bkav FE
W32.HfsAdware
1.3.0.6979

Clam AntiVirus
Win.Trojan.Crossrider-36
0.98/21511

Dr.Web
Trojan.Crossrider1.42769
9.0.1.0283

ESET NOD32
Win32/Packed.ScrambleWrapper.O potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
PossibleThreat
10/10/2015

G Data
Win32.Adware.CrossriderWrapper
15.10.25

IKARUS anti.virus
PUA.ScrambleWrapper
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.205.16213

Malwarebytes
PUP.Optional.GoHD.A
v2015.10.10.12

McAfee
Artemis!CD9EC9BA8523
5600.6616

MicroWorld eScan
Adware.Generic.1238912
16.0.0.849

NANO AntiVirus
Trojan.Win32.MLW.dpnylv
0.30.24.2487

Panda Antivirus
Generic Suspicious
15.10.10.12

Reason Heuristics
PUP.ExtremeWhite.CityRoadlabsExtremeWhiteLimited.Installer (M)
15.10.10.12

Rising Antivirus
PE:Malware.Adwapper!6.25A8
23.00.65.151008

Trend Micro House Call
Suspici.CF2FA188
7.2.283

Vba32 AntiVirus
Trojan.GoogUpdate
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
40082

File size:
11.2 MB (11,767,336 bytes)

Copyright:
Copyright InstallMoon

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe

Digital Signature
Signed by:
City Road labs (Extreme White Limited)

Authority:
COMODO CA Limited

Valid from:
4/15/2015 3:00:00 AM

Valid to:
4/15/2016 2:59:59 AM

Subject:
CN=City Road labs (Extreme White Limited), O=City Road labs (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00AE3B988EFE11AFE67F31C19E83D194B6

File PE Metadata
Compilation timestamp:
12/4/2012 3:55:11 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
196608:AN438qjLOXKb5d9iJPMFASXkAbJ4XFs7xz0tTJpklSi2aBZ:n384B/iVMFhHJ0F00PpdSv

Entry address:
0x412D

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 73, 45, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 74, 45, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 74, 45, 00, 56, A3, F4, E7, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8B, 3B, 00, 00, A3, 50, E8, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A9, B2, 40, 00, FF, 15, AC, 74, 45, 00, 83, EC, 14, C7, 44, 24, 04, AA, B2, 40, 00, C7...
 
[+]

Code size:
33.5 KB (34,304 bytes)

The file setup.exe has been seen being distributed by the following 2 URLs.

http://dl.ourinputinfonet.com/monti/llyun/.../setup.exe

http://mobilitydata5.com/.../dlgen.php?r=vu_vo2_AM01&rr=H&sct=AGR&sid=

Remove setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.