nsdc564.tmp

Essync PTY LTD

The file nsdc564.tmp by Essync PTY has been detected as a potentially unwanted program by 16 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. The file has been seen being downloaded from healthcaregovtool.com.
Publisher:
Essync PTY LTD  (signed and verified)

MD5:
c97a86a46f761f85c03978e8aeaf77cc

SHA-1:
95c88a66d909d96543587d59d679105df52215eb

SHA-256:
0bb6f4f23e2a93f9ca0b7a470205744527195bb2630d121a3dda1a6ec8355266

Scanner detections:
16 / 68

Status:
Potentially unwanted

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/24/2024 4:36:48 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Dropper.A.15172
8.3.2.2

avast!
Win32:Adware-gen [Adw]
2014.9-151207

AVG
Generic
2016.0.2903

Baidu Antivirus
Hacktool.Win64.Komodia
4.0.3.15127

Comodo Security
UnclassifiedMalware
23526

Dr.Web
Threat.Undefined
9.0.1.05190

ESET NOD32
multiple threats
7.0.302.0

F-Secure
Gen:Adware.BrowseFox.1
5.15.21

G Data
Win32.Trojan.Agent.YU4NIV
15.12.25

IKARUS anti.virus
Trojan.Dropper
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.212.17725

Malwarebytes
PUP.Optional.Komodia
v2015.12.07.04

McAfee
Trojan.Artemis!3569C8A59F82
18.0.204.0

Rising Antivirus
PE:Malware.Generic/QRS!1.9E2D [F]
23.00.65.151205

Sophos
Generic PUA JF (PUA)
4.98

VIPRE Antivirus
Threat.4150696
45570

File size:
4.6 MB (4,875,384 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\nsdc564.tmp

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
8/20/2015 7:00:00 PM

Valid to:
3/25/2016 6:59:59 PM

Subject:
CN=Essync PTY LTD, O=Essync PTY LTD, L=Sans Souci, S=New South Wales, C=AU

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
2C40621E61A3C414F3892090E322B912

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:kRk6lyKMqrmEgKHC3+AW9Z8wAhohFSWFMEQs1smgBfnkuG5hy+ZeUk:cZQxOAW/O8GE11smK/yfi

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9993

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nsdc564.tmp has been seen being distributed by the following URL.

Remove nsdc564.tmp - Powered by Reason Core Security