home

6251.exe

You Two Lab (Extreme White Limited)

The application 6251.exe by You Two Lab (Extreme White Limited) has been detected as a potentially unwanted program by 9 anti-malware scanners. This is a setup program which is used to install the application. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from dl.keyprobox.com.
Publisher:
You Two Lab (Extreme White Limited)  (signed and verified)

Version:
106.0.0.0

MD5:
3fc0cb3da9ab0e8f677b25a866a54753

SHA-1:
2ce3bf0eb7ce2b73358ed9617b3187bf1c746667

SHA-256:
b114fc5123b05dde09ce4547485ebf81ebb94393d20c23e4127496d7496d790a

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/15/2024 2:49:42 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/CrossRider.1977928.6
8.3.1.6

avast!
Win32:Malware-gen
2014.9-150717

Dr.Web
Trojan.Crossrider1.43107
9.0.1.0198

ESET NOD32
Win32/Toolbar.CrossRider.CT potentially unwanted application
9.7.0.302.0

Kaspersky
not-a-virus:HEUR:AdWare.Win32.CrossRider
14.0.0.1724

Malwarebytes
PUP.Optional.Crossbrowse.C
v2015.07.17.04

Reason Heuristics
PUP.ExtremeWhite.Bundler.Meta (M)
15.7.17.0

Sophos
PUA 'AppRider' (of type Adware)
5.15

VIPRE Antivirus
Threat.4789396
41424

File size:
1.9 MB (1,979,976 bytes)

Product version:
106.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\6251.exe

Digital Signature
Signed by:
You Two Lab (Extreme White Limited)

Authority:
COMODO CA Limited

Valid from:
4/15/2015 2:00:00 AM

Valid to:
4/15/2016 1:59:59 AM

Subject:
CN=You Two Lab (Extreme White Limited), O=You Two Lab (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DA184DA11A5376568B6099B7928BCCBB

File PE Metadata
Compilation timestamp:
7/14/2015 12:08:52 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:eUg0aCJdW03Ai7vAV3ejTpixTlpS6xiyKEWmrEbs14c:fg1CWwAi743assU

Entry address:
0x12D09E

Entry point:
E8, 58, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 24, DE, 5C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, 1E, 5C, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 24, DE, 5C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01...
 
[+]

Code size:
1.4 MB (1,418,240 bytes)

The file 6251.exe has been discovered within the following program.

Crossbrowse  by CLARALABSOFTWARE
87% remove it
 
Powered by Should I Remove It?

The file 6251.exe has been seen being distributed by the following URL.

http://dl.keyprobox.com/crcb/.../installer.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to ip-50-63-202-62.ip.secureserver.net  (50.63.202.62:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (52.216.81.242:80)

TCP (HTTP):
Connects to euve246913.serverprofi24.com  (62.75.142.165:80)

TCP (HTTP):
Connects to ec2-54-243-159-53.compute-1.amazonaws.com  (54.243.159.53:80)

TCP (HTTP):
Connects to ec2-54-235-116-11.compute-1.amazonaws.com  (54.235.116.11:80)

TCP (HTTP):
Connects to ec2-54-221-207-153.compute-1.amazonaws.com  (54.221.207.153:80)

TCP (HTTP):
Connects to ec2-50-17-235-124.compute-1.amazonaws.com  (50.17.235.124:80)

TCP (HTTP):
Connects to ec2-50-16-231-217.compute-1.amazonaws.com  (50.16.231.217:80)

TCP (HTTP):
Connects to ec2-23-23-251-76.compute-1.amazonaws.com  (23.23.251.76:80)

TCP (HTTP):
Connects to ec2-23-23-190-31.compute-1.amazonaws.com  (23.23.190.31:80)

TCP (HTTP):
Connects to ec2-23-23-162-52.compute-1.amazonaws.com  (23.23.162.52:80)

TCP (HTTP):
Connects to ec2-23-23-116-0.compute-1.amazonaws.com  (23.23.116.0:80)

TCP (HTTP):
Connects to ec2-23-21-210-88.compute-1.amazonaws.com  (23.21.210.88:80)

TCP (HTTP):
Connects to ec2-23-21-174-210.compute-1.amazonaws.com  (23.21.174.210:80)

TCP (HTTP):
Connects to ec2-184-73-212-255.compute-1.amazonaws.com  (184.73.212.255:80)

TCP (HTTP):
Connects to ec2-107-22-247-81.compute-1.amazonaws.com  (107.22.247.81:80)

TCP (HTTP):
Connects to ec2-107-21-203-65.compute-1.amazonaws.com  (107.21.203.65:80)

Remove 6251.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.