utility.exe

York New Labs (Extreme White Limited)

The application utility.exe by York New Labs (Extreme White Limited) has been detected as a potentially unwanted program by 7 anti-malware scanners. This is a setup program which is used to install the application. It runs as a scheduled task under the Windows Task Scheduler named Crossbrowse triggered to execute each time a user logs in. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. The file has been seen being downloaded from dl.ourstaticdatastorage.com.
Publisher:
York New Labs (Extreme White Limited)  (signed and verified)

Version:
106.0.0.0

MD5:
b57d60cd390792dc0650178631380918

SHA-1:
fecd679c159e80f7d00ec6b9ff1c99e118d28152

SHA-256:
aa485b5c6fe1e5618cfc8351975ef591d322762bbcde2e819cbf7528346d388b

Scanner detections:
7 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 3:06:00 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

AVG
Win32/DH{gRJlfRMDICIlV04}
2016.0.3063

K7 AntiVirus
Unwanted-Program
13.205.16401

Kaspersky
HEUR:Trojan-Downloader.Win32.Generic
14.0.0.1809

Malwarebytes
PUP.Optional.Crossbrowse.C
v2015.06.30.06

Reason Heuristics
Win32.Generic.YorkNewLabsExtremeWhiteLimited.Task.Meta
15.6.30.6

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

File size:
1.9 MB (1,967,696 bytes)

Product version:
106.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\crossbrowse\crossbrowse\application\utility.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/15/2015 2:00:00 AM

Valid to:
4/15/2016 1:59:59 AM

Subject:
CN=York New Labs (Extreme White Limited), O=York New Labs (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00927773AE2A990E6BEB7E5455470BEF66

File PE Metadata
Compilation timestamp:
6/28/2015 10:09:10 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:EFy+HGjS9SDTV2o88Ju+MisBcjLGTYpS4AcFV/ZGU42fILsclzG:QCj3K8JOisGLc8

Entry address:
0x12B6DE

Entry point:
E8, 48, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 24, AE, 5C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, EE, 5B, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 24, AE, 5C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01...
 
[+]

Code size:
1.3 MB (1,410,048 bytes)

Scheduled Task
Task name:
Crossbrowse

Trigger:
Logon (Runs on logon)


The file utility.exe has been discovered within the following program.

Crossbrowse  by CLARALABSOFTWARE
87% remove it
 
Powered by Should I Remove It?

The file utility.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.48.170:80)

Remove utility.exe - Powered by Reason Core Security