2870.exe

Oral Teams (Extreme White Limited)

The application 2870.exe by Oral Teams (Extreme White Limited) has been detected as a potentially unwanted program by 17 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.
Publisher:
Oral Teams (Extreme White Limited)  (signed and verified)

Version:
106.0.0.0

MD5:
71fb04449243dd3f25f3852ba5b3e8a6

SHA-1:
67bdeb32c1a3430bbc072dbb31ce8d82e553e299

SHA-256:
e87614a7f2ca911a04e7638d4643512c8c6fefa33e067babc26b5223972a9d21

Scanner detections:
17 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/22/2024 9:17:14 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Mikey.22593
484

avast!
Win32:Malware-gen
2014.9-150820

AVG
Win32/DH{gRJlfRMDICIlV04}
2016.0.3011

Bitdefender
Gen:Variant.Mikey.22593
1.0.20.1410

Dr.Web
Trojan.Crossrider1.46402
9.0.1.0232

Emsisoft Anti-Malware
Gen:Variant.Mikey.22593
8.15.10.09.01

ESET NOD32
Win32/Toolbar.CrossRider.CZ potentially unwanted (variant)
9.12129

F-Secure
Gen:Variant.Mikey.22593
11.2015-09-10_6

herdProtect (fuzzy)
2015.10.9.1

Kaspersky
not-a-virus:WebToolbar.Win32.CrossRider
14.0.0.1550

Malwarebytes
PUP.Optional.Crossrider.C
v2015.08.20.11

MicroWorld eScan
Gen:Variant.Mikey.22593
16.0.0.846

Panda Antivirus
Generic Suspicious
15.08.20.11

Reason Heuristics
PUP.ExtremeWhite.Bundler.Meta (M)
15.8.20.23

Sophos
AppRider (PUA)
4.98

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Crossrider
43074

File size:
1.9 MB (1,965,128 bytes)

Product version:
106.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\2870.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/14/2015 5:00:00 PM

Valid to:
4/14/2016 4:59:59 PM

Subject:
CN=Oral Teams (Extreme White Limited), O=Oral Teams (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00B8F2E0D231E7596923282FB14A063652

File PE Metadata
Compilation timestamp:
8/20/2015 9:26:58 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:2cFyNvnH7k1xyeNAMqde0K0TApSb4wOG8klJAolXW1nHHAc+oE:v4NCxySAMqE0DQ8

Entry address:
0x12E40E

Entry point:
E8, 48, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 24, EE, 5C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, 2E, 5C, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 24, EE, 5C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01...
 
[+]

Entropy:
6.6425

Code size:
1.4 MB (1,423,872 bytes)

Scheduled Task
Task name:
DDF2E165-B874-45B0-AC6C-A1C81E5CC8AC

Trigger:
Logon (Runs on logon)


The file 2870.exe has been discovered within the following program.

Crossbrowse  by CLARALABSOFTWARE
87% remove it
 
Powered by Should I Remove It?

The file 2870.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.10:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.1.252:80)

TCP (HTTP):
Connects to ec2-54-235-221-226.compute-1.amazonaws.com  (54.235.221.226:80)

TCP (HTTP):
Connects to ec2-54-83-21-73.compute-1.amazonaws.com  (54.83.21.73:80)

TCP (HTTP):
Connects to ec2-54-83-197-202.compute-1.amazonaws.com  (54.83.197.202:80)

TCP (HTTP):
Connects to ec2-54-243-98-31.compute-1.amazonaws.com  (54.243.98.31:80)

TCP (HTTP):
Connects to ec2-54-243-60-28.compute-1.amazonaws.com  (54.243.60.28:80)

TCP (HTTP):
Connects to ec2-54-243-252-249.compute-1.amazonaws.com  (54.243.252.249:80)

TCP (HTTP):
Connects to ec2-54-243-246-209.compute-1.amazonaws.com  (54.243.246.209:80)

TCP (HTTP):
Connects to ec2-54-243-242-176.compute-1.amazonaws.com  (54.243.242.176:80)

TCP (HTTP):
Connects to ec2-54-243-225-35.compute-1.amazonaws.com  (54.243.225.35:80)

TCP (HTTP):
Connects to ec2-54-243-221-235.compute-1.amazonaws.com  (54.243.221.235:80)

TCP (HTTP):
Connects to ec2-54-243-180-66.compute-1.amazonaws.com  (54.243.180.66:80)

TCP (HTTP):
Connects to ec2-54-243-123-255.compute-1.amazonaws.com  (54.243.123.255:80)

TCP (HTTP):
Connects to ec2-54-243-116-216.compute-1.amazonaws.com  (54.243.116.216:80)

TCP (HTTP):
Connects to ec2-54-243-114-196.compute-1.amazonaws.com  (54.243.114.196:80)

TCP (HTTP):
Connects to ec2-54-235-76-185.compute-1.amazonaws.com  (54.235.76.185:80)

TCP (HTTP):
Connects to ec2-54-235-66-200.compute-1.amazonaws.com  (54.235.66.200:80)

TCP (HTTP):
Connects to ec2-54-235-206-35.compute-1.amazonaws.com  (54.235.206.35:80)

TCP (HTTP):
Connects to ec2-54-235-187-231.compute-1.amazonaws.com  (54.235.187.231:80)

Remove 2870.exe - Powered by Reason Core Security