NexGuard.exe

NexCafé

Nextar

The executable NexGuard.exe has been detected as malware by 13 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘nexguard’. While running, it connects to the Internet address ip-172-29-13-161.ec2.internal on port 16205.
Publisher:
Nextar

Product:
NexCafé

Description:
NexGuard

Version:
5.0.0.207

MD5:
101ffb00afb002ca5f6c4e04a5b373c7

SHA-1:
20afd1c2a8d465e3811187c33252f93a9c6c7058

SHA-256:
21d51f180e57dd2da9bb5619289ff4deaf4c9d46119687f1a4ee961f9caf906b

Scanner detections:
13 / 68

Status:
Malware

Analysis date:
11/27/2024 6:20:44 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
SHeur4
2016.0.2984

Fortinet FortiGate
W32/Diss.BN!tr
9/16/2015

IKARUS anti.virus
Trojan.Win32.Diss
t3scan.1.8.9.0

K7 AntiVirus
Riskware
13.203.15849

Kaspersky
Trojan.Win32.Diss
14.0.0.1416

McAfee
Artemis!101FFB00AFB0
5600.6640

Norman
Suspicious_Gen5.BDKLH
11.20150916

Panda Antivirus
Trj/CI.A
15.09.16.05

Quick Heal
Trojan.Diss.ga
9.15.14.00

Trend Micro House Call
TROJ_NOTOOLS.BMC
7.2.259

Trend Micro
TROJ_NOTOOLS.BMC
10.465.16

VIPRE Antivirus
Trojan.Win32.Generic
40062

ViRobot
Trojan.Win32.A.Diss.18260992[h]
2014.3.20.0

File size:
17.4 MB (18,260,992 bytes)

Product version:
5.0

Original file name:
NexGuard.exe

File type:
Executable application (Win32 EXE)

Language:
Brazilian Portuguese

File PE Metadata
Compilation timestamp:
6/26/2014 11:35:37 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
393216:xigrF9r7FY+KcocF0uBiehKUznecrAxZwlQfUzAxx+RcxvGk+eWvrIvry:jrj9PWkyImx+GxvyvcD

Entry address:
0x80CB40

Entry point:
55, 8B, EC, B9, 0E, 00, 00, 00, 6A, 00, 6A, 00, 49, 75, F9, 51, 53, 56, 57, B8, D4, E4, BF, 00, E8, D7, BA, 7F, FF, 33, C0, 55, 68, 13, D5, C0, 00, 64, FF, 30, 64, 89, 20, A1, 28, 5A, C6, 00, BA, 2C, D5, C0, 00, E8, 5E, 91, 7F, FF, E8, A5, FE, FC, FF, 33, C9, B2, 01, A1, 40, B4, BD, 00, E8, 9F, 26, 82, FF, C6, 40, 0F, 01, 33, D2, B8, 40, D5, C0, 00, E8, FB, 7C, 8F, FF, A1, 94, 5B, C6, 00, 8B, 00, E8, 9B, 34, 88, FF, E8, 0E, F7, FC, FF, C6, 05, B8, 0D, DF, 00, 00, 8D, 55, E8, 33, C0, E8, 99, 6A, 7F, FF, 8B...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
8 MB (8,438,272 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
nexguard

Command:
"C:\nexcafe\nexguard.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ec2-34-200-193-115.compute-1.amazonaws.com  (34.200.193.115:443)

TCP (HTTP):
Connects to ec2-54-94-144-67.sa-east-1.compute.amazonaws.com  (54.94.144.67:80)

TCP (HTTP):
Connects to s3-website-sa-east-1.amazonaws.com  (52.92.72.11:80)

TCP:
Connects to ec2-34-197-161-120.compute-1.amazonaws.com  (34.197.161.120:1935)

TCP (HTTP):
Connects to ec2-54-207-88-152.sa-east-1.compute.amazonaws.com  (54.207.88.152:80)

TCP (HTTP):
Connects to ec2-54-225-217-148.compute-1.amazonaws.com  (54.225.217.148:80)

TCP:
Connects to ec2-34-192-65-64.compute-1.amazonaws.com  (34.192.65.64:1935)

TCP (HTTP):
Connects to ec2-184-73-209-238.compute-1.amazonaws.com  (184.73.209.238:80)

TCP:
Connects to ec2-34-199-243-170.compute-1.amazonaws.com  (34.199.243.170:1935)

TCP:
Connects to ec2-107-23-141-170.compute-1.amazonaws.com  (107.23.141.170:1935)

TCP (HTTP SSL):
Connects to server-52-84-179-119.gru50.r.cloudfront.net  (52.84.179.119:443)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (52.216.224.152:80)

TCP (HTTP SSL):
Connects to s3-1.amazonaws.com  (52.216.192.19:443)

TCP (HTTP):
Connects to pr-east2.pbp.vip.bf1.yahoo.com  (72.30.3.42:80)

TCP (HTTP):
Connects to mpr2.ngd.vip.bf1.yahoo.com  (98.139.225.43:80)

TCP (HTTP):
Connects to mpr1.ngd.vip.ne1.yahoo.com  (98.138.49.44:80)

TCP:
Connects to ip-172-29-13-161.ec2.internal  (172.29.13.161:16205)

TCP (HTTP SSL):
Connects to edge-star-shv-01-gru2.facebook.com  (31.13.85.8:443)

TCP:
Connects to ec2-34-200-198-210.compute-1.amazonaws.com  (34.200.198.210:1935)

TCP (HTTP SSL):
Connects to e2.ycpi.vip.bra.yahoo.com  (200.152.162.161:443)

Remove NexGuard.exe - Powered by Reason Core Security