home

ousbu.exe

GoHD

City Road labs (Extreme White Limited)

The application ousbu.exe by City Road labs (Extreme White Limited) has been detected as adware by 22 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address hwcdn.net on port 80 using the HTTP protocol.
Publisher:
InstallMoon  (signed by City Road labs (Extreme White Limited))

Product:
GoHD

Description:
GoHD Installer

Version:
1.36.01.22

MD5:
8a71e3e86757b4c5dd3603ecb9de8aeb

SHA-1:
43a2d47a818fd094f512c3cbac9620d7967d3ee7

SHA-256:
a043cb737a1b88433c6eca42fd666937991debea79f615aa30cadeb4b1124854

Scanner detections:
22 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/24/2024 9:49:53 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.JS.Crossrider.B
597

AhnLab V3 Security
PUP/Win32.CrossRider
2015.06.17

Avira AntiVirus
ADWARE/CrossRider.Gen
8.3.1.6

AVG
Crossrider
2016.0.3075

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Trojan.Crossrider.46916
9.0.1.0168

ESET NOD32
Win32/Toolbar.CrossRider.CM potentially unwanted (variant)
9.11795

Fortinet FortiGate
Riskware/CrossRider
6/17/2015

G Data
Script.Application.Plush
15.6.25

Malwarebytes
PUP.Optional.GoHD.A
v2015.06.17.12

McAfee
Artemis!8A71E3E86757
5600.6731

MicroWorld eScan
Adware.JS.Crossrider.B
16.0.0.504

Panda Antivirus
PUP/Plus-HD
15.06.17.12

Qihoo 360 Security
HEUR/QVM20.1.Malware.Gen
1.0.0.1015

Quick Heal
JS.Adware.CrossRider.A
6.15.14.00

Reason Heuristics
PUP.Installer.ExtremeWhite
15.6.17.8

Rising Antivirus
PE:Malware.Obscure!1.9C59
23.00.65.15615

Trend Micro House Call
Suspici.AAC3522D
7.2.168

Trend Micro
ADW_CROSSRIDER
10.465.17

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
41186

Zillya! Antivirus
Trojan.BlackGen.Win32.11
2.0.0.2227

File size:
11.4 MB (11,968,456 bytes)

Copyright:
Copyright InstallMoon

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\ousbu.exe

Digital Signature
Signed by:
City Road labs (Extreme White Limited)

Authority:
COMODO CA Limited

Valid from:
4/15/2015 9:00:00 AM

Valid to:
4/15/2016 8:59:59 AM

Subject:
CN=City Road labs (Extreme White Limited), O=City Road labs (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00AE3B988EFE11AFE67F31C19E83D194B6

File PE Metadata
Compilation timestamp:
12/4/2012 10:55:02 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
196608:tl/9ZiH7kbx/jRa8cTDpRSW6IEvesARAl61/fb9oKI4qRvR:tlSHwbhjvcTm1msQAcHeVRlR

Entry address:
0x4323

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 44, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 44, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 44, 00, 56, A3, 40, 3B, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 3B, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 44, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Code size:
34.5 KB (35,328 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.16.220:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.10:80)

TCP (HTTP):
Connects to ec2-54-225-86-116.compute-1.amazonaws.com  (54.225.86.116:80)

Remove ousbu.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.