» NexGuard.exe
Overview
Analysis
File Details
Behaviors (1)
Network (39)

NexGuard.exe

NexCafé

Nextar

The executable NexGuard.exe has been detected as malware by 13 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘nexguard’. While running, it connects to the Internet address ip-172-29-13-161.ec2.internal on port 16205.

File name:

NexGuard.exe

Publisher:

Nextar

Product:

NexCafé

Description:

NexGuard

Version:

5.0.0.207

MD5:

101ffb00afb002ca5f6c4e04a5b373c7

SHA-1:

20afd1c2a8d465e3811187c33252f93a9c6c7058

SHA-256:

21d51f180e57dd2da9bb5619289ff4deaf4c9d46119687f1a4ee961f9caf906b

Scanner detections:

13 / 68

Status:

Malware

Analysis date:

11/27/2024 6:20:44 AM UTC (today)

Scan engine

Detection

Engine version

AVG

SHeur4

2016.0.2984

Fortinet FortiGate

W32/Diss.BN!tr

9/16/2015

IKARUS anti.virus

Trojan.Win32.Diss

t3scan.1.8.9.0

K7 AntiVirus

Riskware

13.203.15849

Kaspersky

Trojan.Win32.Diss

14.0.0.1416

McAfee

Artemis!101FFB00AFB0

5600.6640

Norman

Suspicious_Gen5.BDKLH

11.20150916

Panda Antivirus

Trj/CI.A

15.09.16.05

Quick Heal

Trojan.Diss.ga

9.15.14.00

Trend Micro House Call

TROJ_NOTOOLS.BMC

7.2.259

Trend Micro

TROJ_NOTOOLS.BMC

10.465.16

VIPRE Antivirus

Trojan.Win32.Generic

40062

ViRobot

Trojan.Win32.A.Diss.18260992[h]

2014.3.20.0

File size:

17.4 MB (18,260,992 bytes)

Product version:

5.0

Original file name:

NexGuard.exe

File type:

Executable application (Win32 EXE)

Language:

Brazilian Portuguese

File PE Metadata

Compilation timestamp:

6/26/2014 11:35:37 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

393216:xigrF9r7FY+KcocF0uBiehKUznecrAxZwlQfUzAxx+RcxvGk+eWvrIvry:jrj9PWkyImx+GxvyvcD

Entry address:

0x80CB40

Entry point:

55, 8B, EC, B9, 0E, 00, 00, 00, 6A, 00, 6A, 00, 49, 75, F9, 51, 53, 56, 57, B8, D4, E4, BF, 00, E8, D7, BA, 7F, FF, 33, C0, 55, 68, 13, D5, C0, 00, 64, FF, 30, 64, 89, 20, A1, 28, 5A, C6, 00, BA, 2C, D5, C0, 00, E8, 5E, 91, 7F, FF, E8, A5, FE, FC, FF, 33, C9, B2, 01, A1, 40, B4, BD, 00, E8, 9F, 26, 82, FF, C6, 40, 0F, 01, 33, D2, B8, 40, D5, C0, 00, E8, FB, 7C, 8F, FF, A1, 94, 5B, C6, 00, 8B, 00, E8, 9B, 34, 88, FF, E8, 0E, F7, FC, FF, C6, 05, B8, 0D, DF, 00, 00, 8D, 55, E8, 33, C0, E8, 99, 6A, 7F, FF, 8B... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

8 MB (8,438,272 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

nexguard

Command:

"C:\nexcafe\nexguard.exe"

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to ec2-34-200-193-115.compute-1.amazonaws.com (34.200.193.115:443)

TCP (HTTP):

Connects to ec2-54-94-144-67.sa-east-1.compute.amazonaws.com (54.94.144.67:80)

TCP (HTTP):

Connects to s3-website-sa-east-1.amazonaws.com (52.92.72.11:80)

TCP:

Connects to ec2-34-197-161-120.compute-1.amazonaws.com (34.197.161.120:1935)

TCP (HTTP):

Connects to ec2-54-207-88-152.sa-east-1.compute.amazonaws.com (54.207.88.152:80)

TCP (HTTP):

Connects to ec2-54-225-217-148.compute-1.amazonaws.com (54.225.217.148:80)

TCP:

Connects to ec2-34-192-65-64.compute-1.amazonaws.com (34.192.65.64:1935)

TCP (HTTP):

Connects to ec2-184-73-209-238.compute-1.amazonaws.com (184.73.209.238:80)

TCP:

Connects to ec2-34-199-243-170.compute-1.amazonaws.com (34.199.243.170:1935)

TCP:

Connects to ec2-107-23-141-170.compute-1.amazonaws.com (107.23.141.170:1935)

TCP (HTTP SSL):

Connects to server-52-84-179-119.gru50.r.cloudfront.net (52.84.179.119:443)

TCP (HTTP):

Connects to s3-1-w.amazonaws.com (52.216.224.152:80)

TCP (HTTP SSL):

Connects to s3-1.amazonaws.com (52.216.192.19:443)

TCP (HTTP):

Connects to pr-east2.pbp.vip.bf1.yahoo.com (72.30.3.42:80)

TCP (HTTP):

Connects to mpr2.ngd.vip.bf1.yahoo.com (98.139.225.43:80)

TCP (HTTP):

Connects to mpr1.ngd.vip.ne1.yahoo.com (98.138.49.44:80)

TCP:

Connects to ip-172-29-13-161.ec2.internal (172.29.13.161:16205)

TCP (HTTP SSL):

Connects to edge-star-shv-01-gru2.facebook.com (31.13.85.8:443)

TCP:

Connects to ec2-34-200-198-210.compute-1.amazonaws.com (34.200.198.210:1935)

TCP (HTTP SSL):

Connects to e2.ycpi.vip.bra.yahoo.com (200.152.162.161:443)

Remove NexGuard.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.