Nfsnewyork.exe

Gekkon Ltd

The application Nfsnewyork.exe by Gekkon has been detected as a potentially unwanted program by 9 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from newfreescreensavers.com.
Publisher:
Gekkon Ltd  (signed and verified)

MD5:
3efdb48ad427b1520c4de6225dfdee20

SHA-1:
e517d6e1605e56ead69b9395aa30218808481b3a

SHA-256:
87e8c08023337f79a3793fdd027df4918fe06e2529991c97ead702d4fceea42c

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/5/2024 7:37:49 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.InstallCore
7.1.1

Comodo Security
Application.Win32.InstallCore.BWAN
18162

Dr.Web
Trojan.Packed.24524
9.0.1.0114

ESET NOD32
Win32/InstallCore.BC (variant)
8.9720

K7 AntiVirus
Unwanted-Program
13.176.11873

Malwarebytes
v2014.04.24.11

Reason Heuristics
PUP.Gekkon.K
14.7.10.2

Vba32 AntiVirus
3.12.26.0

VIPRE Antivirus
InstallCore.b
28580

File size:
717.4 KB (734,576 bytes)

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\nfsnewyork.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
5/13/2013 10:57:19 AM

Valid to:
8/13/2016 10:57:19 AM

Subject:
E=is@newfreescreensavers.com, CN=Gekkon Ltd, O=Gekkon Ltd, L=Mahe, S=Seychelles, C=SC

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11219BA4649A3898A4F37C1CE7782C46FAEA

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:0QFaPRjtbxh7FzQ52W9l4SB9JppABXB66EKbIeZyhkcGCd1nsvn95AK6z3XNP3uL:0QFsNtlhFzgP9aSB9xUgX+GhrGCd1svF

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, BF, A9, FF, FF, E8, 5E, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.7612

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file Nfsnewyork.exe has been seen being distributed by the following URL.

Remove Nfsnewyork.exe - Powered by Reason Core Security