1066.exe

York New Labs (Extreme White Limited)

The application 1066.exe by York New Labs (Extreme White Limited) has been detected as a potentially unwanted program by 10 anti-malware scanners. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from dl.ourstaticdatastorage.com.
Publisher:
York New Labs (Extreme White Limited)  (signed and verified)

Version:
106.0.0.0

MD5:
18fbab1803a900c10d5b31507f150edd

SHA-1:
e98c1a76ad6b89d506c4e691ecc13d88f7768bfd

SHA-256:
a76f02efe92fe65b7606f352f2620d7a4c679c939b2e2e533fa5f2283b385130

Scanner detections:
10 / 68

Status:
Potentially unwanted

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
12/23/2024 10:43:10 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.CrossRider
2015.06.26

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

AVG
Win32/DH{gRJlfRMDICIlV04}
2016.0.3067

ESET NOD32
Win32/Toolbar.CrossRider.CN potentially unwanted (variant)
9.11842

Kaspersky
HEUR:Trojan-Downloader.Win32.Generic
14.0.0.1831

Malwarebytes
PUP.Optional.Crossbrowse.C
v2015.06.25.08

Panda Antivirus
Trj/Genetic.gen
15.06.25.08

Reason Heuristics
Threat.Win.Reputation.IMP
15.6.25.20

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Crossrider
41436

File size:
1.9 MB (1,957,968 bytes)

Product version:
106.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\1066.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/14/2015 5:00:00 PM

Valid to:
4/14/2016 4:59:59 PM

Subject:
CN=York New Labs (Extreme White Limited), O=York New Labs (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00927773AE2A990E6BEB7E5455470BEF66

File PE Metadata
Compilation timestamp:
6/17/2015 2:55:53 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:MfecA1+cHOEBmaByDTcB1kTapSUdNpJKToXIu8QHFBC8FTB:KHA1XXBy3cPoIn

Entry address:
0x129D2E

Entry point:
E8, 48, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 24, 8E, 5C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, CE, 5B, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 24, 8E, 5C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01...
 
[+]

Entropy:
6.6606

Code size:
1.3 MB (1,402,368 bytes)

The file 1066.exe has been discovered within the following program.

Crossbrowse  by CLARALABSOFTWARE
87% remove it
 
Powered by Should I Remove It?

The file 1066.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (52.216.64.114:80)

TCP (HTTP):
Connects to ec2-54-225-167-36.compute-1.amazonaws.com  (54.225.167.36:80)

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.10:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to ec2-54-83-202-199.compute-1.amazonaws.com  (54.83.202.199:80)

TCP (HTTP):
Connects to ec2-54-243-45-51.compute-1.amazonaws.com  (54.243.45.51:80)

TCP (HTTP):
Connects to ec2-54-243-45-241.compute-1.amazonaws.com  (54.243.45.241:80)

TCP (HTTP):
Connects to ec2-54-243-37-192.compute-1.amazonaws.com  (54.243.37.192:80)

TCP (HTTP):
Connects to ec2-54-243-242-176.compute-1.amazonaws.com  (54.243.242.176:80)

TCP (HTTP):
Connects to ec2-54-243-224-121.compute-1.amazonaws.com  (54.243.224.121:80)

TCP (HTTP):
Connects to ec2-54-243-170-106.compute-1.amazonaws.com  (54.243.170.106:80)

TCP (HTTP):
Connects to ec2-54-243-169-242.compute-1.amazonaws.com  (54.243.169.242:80)

TCP (HTTP):
Connects to ec2-54-243-163-2.compute-1.amazonaws.com  (54.243.163.2:80)

TCP (HTTP):
Connects to ec2-54-243-161-21.compute-1.amazonaws.com  (54.243.161.21:80)

TCP (HTTP):
Connects to ec2-54-243-152-133.compute-1.amazonaws.com  (54.243.152.133:80)

TCP (HTTP):
Connects to ec2-54-243-114-196.compute-1.amazonaws.com  (54.243.114.196:80)

TCP (HTTP):
Connects to ec2-54-243-110-17.compute-1.amazonaws.com  (54.243.110.17:80)

TCP (HTTP):
Connects to ec2-54-235-78-209.compute-1.amazonaws.com  (54.235.78.209:80)

TCP (HTTP):
Connects to ec2-54-235-66-200.compute-1.amazonaws.com  (54.235.66.200:80)

TCP (HTTP):
Connects to ec2-54-235-248-112.compute-1.amazonaws.com  (54.235.248.112:80)

Remove 1066.exe - Powered by Reason Core Security