home

nsbuk_mystartsearch.exe

3089_nsbuk_mystartsearch

Xiaoqing Liu

The application nsbuk_mystartsearch.exe by Xiaoqing Liu has been detected as adware by 13 anti-malware scanners. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
ylsn  (signed by Xiaoqing Liu)

Product:
3089_nsbuk_mystartsearch

Description:
ylsn

Version:
6,3,7601,1995

MD5:
8cc94d3786f36419ad25ab40cf5112c6

SHA-1:
4b215640bc5b2ae96f0d51c276fcbf5721a07765

SHA-256:
96734908f02e234c21976c6acc11e73f6e0ae9c00738110665a16711f2344f6e

Scanner detections:
13 / 68

Status:
Adware

Analysis date:
11/23/2024 7:22:41 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.SearchHijacker
2015.03.26

avast!
Dropper-gen [Drp]
2014.9-150318

AVG
Downloader
2016.0.3128

Baidu Antivirus
PUA.Win32.ELEX
4.0.3.15318

ESET NOD32
Win32/ELEX.CE potentially unwanted
9.11340

Fortinet FortiGate
Riskware/Elex
4/26/2015

herdProtect (fuzzy)
variant of nsld095.tmp (Adware)
2015.6.24.10

K7 AntiVirus
Trojan
13.201.15304

Malwarebytes
PUP.Optional.LuckySearches.A
v2015.04.26.06

McAfee
Artemis!935124FF033F
5600.6822

Qihoo 360 Security
HEUR/QVM41.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Li Mo
15.3.18.15

Sophos
PUA 'Elex' (of type Adware)
5.12

File size:
322.9 KB (330,696 bytes)

Product version:
6,3,7601,1995

Copyright:
bsw

Original file name:
bsw

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\nsbuk_mystartsearch.exe

Digital Signature
Signed by:
Xiaoqing Liu

Authority:
DigiCert Inc

Valid from:
8/12/2014 4:00:00 PM

Valid to:
8/17/2015 4:00:00 AM

Subject:
CN=Xiaoqing Liu, O=Xiaoqing Liu, L=Zaozhuang, S=Shandong, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0EBAB4AC38B70A33EE517D238BDE49D7

File PE Metadata
Compilation timestamp:
3/9/2015 1:46:39 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:9qlTU8709zV1R4bp7+nSOh0fJD/V8LHJ1PhhgVlEw:9VR1R4bp7ObQD/VQf5GVlEw

Entry address:
0x114D9

Entry point:
E8, 96, 6E, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 74, A6, 42, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, C8, 80, 42, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 74, A6, 42, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00...
 
[+]

Entropy:
5.9943

Code size:
115.5 KB (118,272 bytes)

The file nsbuk_mystartsearch.exe has been seen being distributed by the following URL.

http://d2drfrdurj6mvo.cloudfront.net/.../nsbuk_mystartsearch.exe

Remove nsbuk_mystartsearch.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.