5859.exe

You Two Lab (Extreme White Limited)

The application 5859.exe by You Two Lab (Extreme White Limited) has been detected as a potentially unwanted program by 13 anti-malware scanners. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address hwcdn.net on port 80 using the HTTP protocol.
Publisher:
You Two Lab (Extreme White Limited)  (signed and verified)

Version:
106.0.0.0

MD5:
dc24df79a82dcf59d28f0cd675de2cfb

SHA-1:
f50501d3854be1d65a734039d22b1d7ac2850af5

SHA-256:
37f9630c1f377e27555f9b16f0cfc94c65e1624754abc63a906f5929faafe621

Scanner detections:
13 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
12/23/2024 10:09:42 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
2014.9-150720

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.15720

Clam AntiVirus
Win.Trojan.Troldesh-2
0.98/21511

Dr.Web
Trojan.Crossrider1.43107
9.0.1.0201

ESET NOD32
Win32/Toolbar.CrossRider.CT potentially unwanted (variant)
9.11962

K7 AntiVirus
Unwanted-Program
13.207.16606

Kaspersky
not-a-virus:HEUR:AdWare.Win32.CrossRider
14.0.0.1710

Malwarebytes
PUP.Optional.Crossbrowse.C
v2015.07.20.12

NANO AntiVirus
Trojan.Win32.Crossrider1.duanbp
0.30.24.2487

Reason Heuristics
PUP.ExtremeWhite.Bundler.Meta (M)
15.7.20.0

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Crossrider
42138

Zillya! Antivirus
Adware.CrossRider.Win32.14158
2.0.0.2300

File size:
1.9 MB (1,977,928 bytes)

Product version:
106.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\5859.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/15/2015 1:00:00 AM

Valid to:
4/15/2016 12:59:59 AM

Subject:
CN=You Two Lab (Extreme White Limited), O=You Two Lab (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DA184DA11A5376568B6099B7928BCCBB

File PE Metadata
Compilation timestamp:
7/8/2015 8:25:23 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:VHSkKg2ZGtNChcES8J/5H1XbKTFpSKixAcv+8PBeipnv8FT1:JhKvAtNOcES81/G

Entry address:
0x12CE6E

Entry point:
E8, 4A, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 24, CE, 5C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, 0E, 5C, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 24, CE, 5C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01...
 
[+]

Code size:
1.4 MB (1,417,216 bytes)

The file 5859.exe has been discovered within the following program.

Crossbrowse  by CLARALABSOFTWARE
87% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-50-63-202-62.ip.secureserver.net  (50.63.202.62:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.10:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (52.216.81.18:80)

TCP (HTTP):
Connects to ec2-54-243-113-132.compute-1.amazonaws.com  (54.243.113.132:80)

TCP (HTTP):
Connects to ec2-75-101-133-248.compute-1.amazonaws.com  (75.101.133.248:80)

TCP (HTTP):
Connects to ec2-54-235-132-90.compute-1.amazonaws.com  (54.235.132.90:80)

TCP (HTTP):
Connects to ec2-50-17-189-123.compute-1.amazonaws.com  (50.17.189.123:80)

TCP (HTTP):
Connects to ec2-23-23-165-47.compute-1.amazonaws.com  (23.23.165.47:80)

TCP (HTTP):
Connects to ec2-54-243-91-79.compute-1.amazonaws.com  (54.243.91.79:80)

TCP (HTTP):
Connects to ec2-54-243-49-106.compute-1.amazonaws.com  (54.243.49.106:80)

TCP (HTTP):
Connects to ec2-54-243-171-118.compute-1.amazonaws.com  (54.243.171.118:80)

TCP (HTTP):
Connects to ec2-54-243-110-76.compute-1.amazonaws.com  (54.243.110.76:80)

TCP (HTTP):
Connects to ec2-54-243-110-253.compute-1.amazonaws.com  (54.243.110.253:80)

TCP (HTTP):
Connects to ec2-54-235-128-66.compute-1.amazonaws.com  (54.235.128.66:80)

TCP (HTTP):
Connects to ec2-54-221-207-153.compute-1.amazonaws.com  (54.221.207.153:80)

TCP (HTTP):
Connects to ec2-23-23-251-76.compute-1.amazonaws.com  (23.23.251.76:80)

TCP (HTTP):
Connects to ec2-23-23-190-31.compute-1.amazonaws.com  (23.23.190.31:80)

TCP (HTTP):
Connects to ec2-23-23-114-129.compute-1.amazonaws.com  (23.23.114.129:80)

TCP (HTTP):
Connects to ec2-23-21-185-158.compute-1.amazonaws.com  (23.21.185.158:80)

TCP (HTTP):
Connects to ec2-174-129-6-130.compute-1.amazonaws.com  (174.129.6.130:80)

Remove 5859.exe - Powered by Reason Core Security