4378.exe

You Two Lab (Extreme White Limited)

The application 4378.exe by You Two Lab (Extreme White Limited) has been detected as a potentially unwanted program by 23 anti-malware scanners. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from 113.171.224.216 and multiple other hosts. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
You Two Lab (Extreme White Limited)  (signed and verified)

Version:
106.0.0.0

MD5:
13574f56f4665ffbbc6ea06016476785

SHA-1:
a4f874d5b0cfcccc12359dbca6c9ae7768b3cc7f

SHA-256:
2529cd27da85c0aa6683f4327e67afd59a9432c9567d9ff70f11dd7f72062e68

Scanner detections:
23 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
12/24/2024 11:58:05 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.CrossRider
7.1.1

Avira AntiVirus
ADWARE/CrossRider.1977928.6
8.3.1.6

avast!
Win32:Malware-gen
2014.9-150911

AVG
Generic
2016.0.3027

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.1585

Bkav FE
W32.HfsAdware
1.3.0.6979

Dr.Web
Trojan.Crossrider1.43107
9.0.1.0217

ESET NOD32
Win32/Toolbar.CrossRider.CT potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
W32/AppRider.CT
8/5/2015

G Data
Win32.Application.Agent.C98ETU
15.8.25

herdProtect (fuzzy)
2015.9.11.15

K7 AntiVirus
Unwanted-Program
13.207.16772

Kaspersky
not-a-virus:HEUR:AdWare.Win32.CrossRider
14.0.0.1628

Malwarebytes
PUP.Optional.Crossbrowse.C
v2015.08.05.11

McAfee
Artemis!13574F56F466
5600.6683

NANO AntiVirus
Trojan.Win32.Crossrider1.ductxr
0.30.24.2668

Qihoo 360 Security
Win32/Virus.Adware.798
1.0.0.1015

Reason Heuristics
PUP.ExtremeWhite.Bundler.Meta (M)
15.8.5.11

Sophos
PUA 'AppRider' (of type Adware)
5.15

Trend Micro
TROJ_GEN.R00UC0OH215
10.465.05

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Threat.4789396
41424

Zillya! Antivirus
Adware.CrossRider.Win32.14138
2.0.0.2325

File size:
1.9 MB (1,979,976 bytes)

Product version:
106.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\4378.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/15/2015 7:00:00 AM

Valid to:
4/15/2016 6:59:59 AM

Subject:
CN=You Two Lab (Extreme White Limited), O=You Two Lab (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DA184DA11A5376568B6099B7928BCCBB

File PE Metadata
Compilation timestamp:
7/14/2015 5:08:52 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:SUg0aCJdW03Ai7vAV3ejTpixTlpS6xizKEWmrEbs14D:bg1CWwAi743assq

Entry address:
0x12D09E

Entry point:
E8, 58, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 24, DE, 5C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, 1E, 5C, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 24, DE, 5C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01...
 
[+]

Entropy:
6.6518

Code size:
1.4 MB (1,418,240 bytes)

The file 4378.exe has been discovered within the following program.

Crossbrowse  by CLARALABSOFTWARE
87% remove it
 
Powered by Should I Remove It?

The file 4378.exe has been seen being distributed by the following 3 URLs.

http://113.171.224.216/.../installer.exe

http://113.171.224.178/.../installer.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

Remove 4378.exe - Powered by Reason Core Security