6251.exe

You Two Lab (Extreme White Limited)

The application 6251.exe by You Two Lab (Extreme White Limited) has been detected as a potentially unwanted program by 9 anti-malware scanners. This is a setup program which is used to install the application. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. The file has been seen being downloaded from dl.keyprobox.com.
Publisher:
You Two Lab (Extreme White Limited)  (signed and verified)

Version:
106.0.0.0

MD5:
3fc0cb3da9ab0e8f677b25a866a54753

SHA-1:
2ce3bf0eb7ce2b73358ed9617b3187bf1c746667

SHA-256:
b114fc5123b05dde09ce4547485ebf81ebb94393d20c23e4127496d7496d790a

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
12/24/2024 11:44:17 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/CrossRider.1977928.6
8.3.1.6

avast!
Win32:Malware-gen
2014.9-150717

Dr.Web
Trojan.Crossrider1.43107
9.0.1.0198

ESET NOD32
Win32/Toolbar.CrossRider.CT potentially unwanted application
9.7.0.302.0

Kaspersky
not-a-virus:HEUR:AdWare.Win32.CrossRider
14.0.0.1724

Malwarebytes
PUP.Optional.Crossbrowse.C
v2015.07.17.04

Reason Heuristics
PUP.ExtremeWhite.Bundler.Meta (M)
15.7.17.0

Sophos
PUA 'AppRider' (of type Adware)
5.15

VIPRE Antivirus
Threat.4789396
41424

File size:
1.9 MB (1,979,976 bytes)

Product version:
106.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\6251.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/15/2015 2:00:00 AM

Valid to:
4/15/2016 1:59:59 AM

Subject:
CN=You Two Lab (Extreme White Limited), O=You Two Lab (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DA184DA11A5376568B6099B7928BCCBB

File PE Metadata
Compilation timestamp:
7/14/2015 12:08:52 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:eUg0aCJdW03Ai7vAV3ejTpixTlpS6xiyKEWmrEbs14c:fg1CWwAi743assU

Entry address:
0x12D09E

Entry point:
E8, 58, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 24, DE, 5C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, 1E, 5C, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 24, DE, 5C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01...
 
[+]

Code size:
1.4 MB (1,418,240 bytes)

The file 6251.exe has been discovered within the following program.

Crossbrowse  by CLARALABSOFTWARE
87% remove it
 
Powered by Should I Remove It?

The file 6251.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to ip-50-63-202-62.ip.secureserver.net  (50.63.202.62:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (52.216.81.242:80)

TCP (HTTP):
Connects to euve246913.serverprofi24.com  (62.75.142.165:80)

TCP (HTTP):
Connects to ec2-54-243-159-53.compute-1.amazonaws.com  (54.243.159.53:80)

TCP (HTTP):
Connects to ec2-54-235-116-11.compute-1.amazonaws.com  (54.235.116.11:80)

TCP (HTTP):
Connects to ec2-54-221-207-153.compute-1.amazonaws.com  (54.221.207.153:80)

TCP (HTTP):
Connects to ec2-50-17-235-124.compute-1.amazonaws.com  (50.17.235.124:80)

TCP (HTTP):
Connects to ec2-50-16-231-217.compute-1.amazonaws.com  (50.16.231.217:80)

TCP (HTTP):
Connects to ec2-23-23-251-76.compute-1.amazonaws.com  (23.23.251.76:80)

TCP (HTTP):
Connects to ec2-23-23-190-31.compute-1.amazonaws.com  (23.23.190.31:80)

TCP (HTTP):
Connects to ec2-23-23-162-52.compute-1.amazonaws.com  (23.23.162.52:80)

TCP (HTTP):
Connects to ec2-23-23-116-0.compute-1.amazonaws.com  (23.23.116.0:80)

TCP (HTTP):
Connects to ec2-23-21-210-88.compute-1.amazonaws.com  (23.21.210.88:80)

TCP (HTTP):
Connects to ec2-23-21-174-210.compute-1.amazonaws.com  (23.21.174.210:80)

TCP (HTTP):
Connects to ec2-184-73-212-255.compute-1.amazonaws.com  (184.73.212.255:80)

TCP (HTTP):
Connects to ec2-107-22-247-81.compute-1.amazonaws.com  (107.22.247.81:80)

TCP (HTTP):
Connects to ec2-107-21-203-65.compute-1.amazonaws.com  (107.21.203.65:80)

Remove 6251.exe - Powered by Reason Core Security