2603.exe

GoHD

City Road labs (Extreme White Limited)

The application 2603.exe by City Road labs (Extreme White Limited) has been detected as adware by 24 anti-malware scanners. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
InstallMoon  (signed by City Road labs (Extreme White Limited))

Product:
GoHD

Description:
GoHD exe

Version:
1000.1000.1000.1000

MD5:
ec02fb7ff923e62d672b114051dbbf2f

SHA-1:
9a4c7870445d3def66b9b3e44a9c1885da6ef457

Scanner detections:
24 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/22/2024 9:20:38 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Graftor.188636
556

AhnLab V3 Security
PUP/Win32.CrossRider
2015.07.29

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

Arcabit
Trojan.Adware.Graftor.D2E0DC
1.0.0.425

avast!
Win32:Adware-CMH [PUP]
2014.9-150729

AVG
Generic_r
2016.0.3034

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.15729

Bitdefender
Gen:Variant.Adware.Graftor.188636
1.0.20.1050

Bkav FE
W32.HfsAdware
1.3.0.6979

Dr.Web
Trojan.Crossrider1.42769
9.0.1.0210

Emsisoft Anti-Malware
Gen:Variant.Adware.Graftor.188636
8.15.07.29.07

ESET NOD32
Win32/Toolbar.CrossRider.CD potentially unwanted (variant)
9.12010

F-Secure
Gen:Variant.Adware.Graftor
11.2015-29-07_4

G Data
Gen:Variant.Adware.Graftor.188636
15.7.25

K7 AntiVirus
Unwanted-Program
13.207.16714

Kaspersky
not-a-virus:HEUR:WebToolbar.Win32.CrossRider
14.0.0.1663

Malwarebytes
PUP.Optional.GoHD.A
v2015.07.29.07

MicroWorld eScan
Gen:Variant.Adware.Graftor.188636
16.0.0.630

Panda Antivirus
Trj/Genetic.gen
15.07.29.07

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.ExtremeWhite.CityRoadlabsExtremeWhiteLimited (M)
15.7.29.7

Rising Antivirus
PE:Malware.Adwapper!6.2061
23.00.65.15727

Sophos
AppRider
4.98

SUPERAntiSpyware
Adware.CrossRider/Variant
9724

File size:
1.2 MB (1,258,064 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
GoHD.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\2603.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/15/2015 5:30:00 AM

Valid to:
4/15/2016 5:29:59 AM

Subject:
CN=City Road labs (Extreme White Limited), O=City Road labs (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00AE3B988EFE11AFE67F31C19E83D194B6

File PE Metadata
Compilation timestamp:
7/28/2015 7:35:46 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:kGNLYRKxsBU94n59UQIF9nz8e9uTopSFoyGftAZ+hQqB/l+:ZkUS5e9nAe9uTopSFBAtAZ+hQW/l+

Entry address:
0x9E5BD

Entry point:
E8, D1, 06, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, B8, 89, 51, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 58, 51, 51, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, B8, 89, 51, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8...
 
[+]

Entropy:
6.4663

Code size:
798 KB (817,152 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.10:80)

TCP (HTTP):
Connects to ip-50-63-202-62.ip.secureserver.net  (50.63.202.62:80)

Remove 2603.exe - Powered by Reason Core Security