3016.exe

City Center Games (Extreme White Limited)

The application 3016.exe by City Center Games (Extreme White Limited) has been detected as adware by 16 anti-malware scanners. This is a setup program which is used to install the application. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 41.223.201.248 and multiple other hosts. While running, it connects to the Internet address lb-182-252.above.com on port 80 using the HTTP protocol.
Publisher:

Version:
106.0.0.0

MD5:
59433fe179a54e675f2cac141da1731c

SHA-1:
b03c728e7cde9663851df06beeb82d081478e845

SHA-256:
17aeca150d3024523289386004dd1699fd75b2b1e91af4ac3394bd915c35f5d5

Scanner detections:
16 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/22/2024 7:26:53 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Toolbar.CrossRider
7.1.1

AhnLab V3 Security
PUP/Win32.CrossRider
2015.06.21

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

AVG
Generic
2016.0.3066

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.15626

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Trojan.Crossrider1.31292
9.0.1.0177

ESET NOD32
Win32/Toolbar.CrossRider.CN potentially unwanted (variant)
9.11817

Fortinet FortiGate
Riskware/CrossRider
6/26/2015

K7 AntiVirus
Unwanted-Program
13.205.16308

Malwarebytes
PUP.Optional.CrossBrowse
v2015.06.26.07

Panda Antivirus
Trj/Genetic.gen
15.06.26.07

Reason Heuristics
PUP.installCore.CityCenterGamesExtremeWhiteLimited (M)
15.6.26.15

Trend Micro House Call
Suspicious_GEN.F47V0619
7.2.177

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
41306

File size:
1.9 MB (1,957,976 bytes)

Product version:
106.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\3016.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/14/2015 9:00:00 PM

Valid to:
4/14/2016 8:59:59 PM

Subject:
CN=City Center Games (Extreme White Limited), O=City Center Games (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00808728FFBF020E8929813B59AA2EC529

File PE Metadata
Compilation timestamp:
5/28/2015 9:48:12 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:arZhre7NHjyywxJOr1SSkOTapSU/i9L12HEz5hF8FTj:0rreB4xJq1zkis

Entry address:
0x129CDE

Entry point:
E8, 58, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 24, 8E, 5C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, CE, 5B, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 24, 8E, 5C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01...
 
[+]

Code size:
1.3 MB (1,402,368 bytes)

The file 3016.exe has been discovered within the following program.

Crossbrowse  by CLARALABSOFTWARE
87% remove it
 
Powered by Should I Remove It?

The file 3016.exe has been seen being distributed by the following 7 URLs.

http://41.223.201.248/.../installer.exe

http://113.171.224.205/.../installer.exe

http://113.171.224.168/.../installer.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to lb-182-252.above.com  (103.224.182.252:80)

TCP (HTTP):
Connects to ip-50-63-202-62.ip.secureserver.net  (50.63.202.62:80)

TCP (HTTP):
Connects to ec2-54-235-103-131.compute-1.amazonaws.com  (54.235.103.131:80)

TCP (HTTP):
Connects to ec2-54-225-216-119.compute-1.amazonaws.com  (54.225.216.119:80)

TCP (HTTP):
Connects to ec2-54-204-6-152.compute-1.amazonaws.com  (54.204.6.152:80)

TCP (HTTP):
Connects to ec2-50-16-231-217.compute-1.amazonaws.com  (50.16.231.217:80)

TCP (HTTP):
Connects to ec2-23-23-251-76.compute-1.amazonaws.com  (23.23.251.76:80)

TCP (HTTP):
Connects to ec2-23-23-231-146.compute-1.amazonaws.com  (23.23.231.146:80)

TCP (HTTP):
Connects to ec2-23-21-45-51.compute-1.amazonaws.com  (23.21.45.51:80)

TCP (HTTP):
Connects to host-197.199.253.140.etisalat.com.eg  (197.199.253.140:80)

TCP (HTTP):
Connects to ec2-75-101-162-66.compute-1.amazonaws.com  (75.101.162.66:80)

TCP (HTTP):
Connects to ec2-54-243-49-106.compute-1.amazonaws.com  (54.243.49.106:80)

TCP (HTTP):
Connects to ec2-54-243-232-177.compute-1.amazonaws.com  (54.243.232.177:80)

TCP (HTTP):
Connects to ec2-54-243-209-176.compute-1.amazonaws.com  (54.243.209.176:80)

TCP (HTTP):
Connects to ec2-54-235-218-133.compute-1.amazonaws.com  (54.235.218.133:80)

TCP (HTTP):
Connects to ec2-54-235-188-24.compute-1.amazonaws.com  (54.235.188.24:80)

TCP (HTTP):
Connects to ec2-54-235-186-37.compute-1.amazonaws.com  (54.235.186.37:80)

TCP (HTTP):
Connects to ec2-54-225-68-99.compute-1.amazonaws.com  (54.225.68.99:80)

TCP (HTTP):
Connects to ec2-54-225-167-36.compute-1.amazonaws.com  (54.225.167.36:80)

TCP (HTTP):
Connects to ec2-54-225-154-132.compute-1.amazonaws.com  (54.225.154.132:80)

Remove 3016.exe - Powered by Reason Core Security