nsc8b5f.tmp

Koyote-Lab Inc.

The file nsc8b5f.tmp by Koyote-Lab has been detected as a potentially unwanted program by 14 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from download.cdn.fantastigames.com.
Publisher:
Koyote-Lab Inc.  (signed and verified)

Version:
4.5.0.4243

MD5:
17c1de690b60d1e8aeddf7bba656f606

SHA-1:
cec43cb3fd7f89cf45bc6e39f8e8ba2088c893d9

SHA-256:
44098c5c0fe72b6462fc1ced830b6fd5f7f39f633dbf6f8bfe8bda1fea87dc6c

Scanner detections:
14 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 1:23:50 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Toolbar.SearchSuite
7.1.1

AhnLab V3 Security
Win-PUP/SearchSuite
2015.02.14

avast!
Win32:Adware-BRT [Adw]
2014.9-150320

AVG
Toolbar.SearchSuite
2016.0.3164

Baidu Antivirus
Adware.Win32.SearchSuite
4.0.3.15320

Comodo Security
Heur.Suspicious
21068

Dr.Web
Trojan.Siggen5.64541
9.0.1.079

ESET NOD32
Win32/Toolbar.SearchSuite.A potentially unwanted (variant)
9.11173

Fortinet FortiGate
Riskware/Toolbar_SearchSuite
3/20/2015

G Data
Win32.Application.KoyoteLab
15.3.25

K7 AntiVirus
Unwanted-Program
13.194.14961

Kaspersky
not-a-virus:WebToolbar.Win32.SearchSuite
14.0.0.2316

NANO AntiVirus
Trojan.Win32.BGuard.crbapl
0.30.0.65070

Reason Heuristics
PUP.Installer.KoyoteLab
15.3.20.18

File size:
3.1 MB (3,274,280 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\nsc8b5f.tmp

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
2/22/2012 7:00:00 PM

Valid to:
2/21/2014 6:59:59 PM

Subject:
CN=Koyote-Lab Inc., OU=DEV, O=Koyote-Lab Inc., L=Panama City, S=Panama, C=PA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
7AD16C59E384A2E3D38D2287483F9B2B

File PE Metadata
Compilation timestamp:
12/5/2009 5:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:FCmunfITlsx1e3JQSASf5E+qS3wTwVtJ8xN7Qno:FunfInGSTTqS3wTwqNUno

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9988

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nsc8b5f.tmp has been seen being distributed by the following URL.

Remove nsc8b5f.tmp - Powered by Reason Core Security