nsa9560.tmp

The file nsa9560.tmp has been detected as a potentially unwanted program by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from s3.amazonaws.com. While running, it connects to the Internet address server-54-192-36-70.jfk1.r.cloudfront.net on port 80 using the HTTP protocol.
MD5:
16c94ebf5771f165895e8e4de9566cea

SHA-1:
f2e798fe403dbfa745d8e37d752695eca2b3c244

SHA-256:
da05f4c9e7003f8a2b43ef64547bc43cd56f6b74376c6b9bf61a6b61a7a148bd

Scanner detections:
5 / 68

Status:
Potentially unwanted

Analysis date:
11/24/2024 3:11:48 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.VOPackage
2015.10.08

Arcabit
PUP.Adware.ConvertAd
1.0.0.576

Kaspersky
not-a-virus:AdWare.Win32.Vopak
14.0.0.1155

Panda Antivirus
Generic Suspicious
15.11.08.02

Reason Heuristics
Adware.Generic.ABT (M)
16.2.29.18

File size:
225.8 KB (231,246 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\nsa9560.tmp

File PE Metadata
Compilation timestamp:
12/6/2009 6:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:Ge34MhydvYjXkT7gSYkmg/JKHASUWdK6wQS:NdkoQJKHASS61S

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.8780

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nsa9560.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-36-70.jfk1.r.cloudfront.net  (54.192.36.70:80)

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

TCP (HTTP):
Connects to ec2-107-21-122-166.compute-1.amazonaws.com  (107.21.122.166:80)

Remove nsa9560.tmp - Powered by Reason Core Security