nsf443b.tmp

Ratio Applications

The software will display additional offers (such as adware) during installation including a browser toolbar/extension as well as advertising injection software (part of the Injekt brand). The file nsf443b.tmp by Ratio Applications has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from tango.tangelosplace.com.
Publisher:
Ratio Applications  (signed and verified)

MD5:
1856707260beae0b62b8da584403018c

SHA-1:
fa537bd70f320d6e5ecc80b2f8f14529fd60dafe

SHA-256:
dc9942206eb845debb33d0f04e6e4450d64ccc70fa0bae57446f504360c19171

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
12/25/2024 1:31:53 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Yontoo.68
9.0.1.05190

ESET NOD32
multiple threats
7.0.302.0

Reason Heuristics
PUP.Injekt.RatioApplications.Installer (M)
15.12.24.10

Sophos
PUA 'Pull Update'
5.22

VIPRE Antivirus
Threat.4784449
46062

File size:
4.6 MB (4,827,472 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\nsf443b.tmp

Digital Signature
Authority:
Symantec Corporation

Valid from:
2/9/2015 6:00:00 PM

Valid to:
5/11/2016 6:59:59 PM

Subject:
CN=Ratio Applications, O=Ratio Applications, L=St. James, S=St. James, C=BB

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
2C6864FA270A42D59AC5ABB22BC46227

File PE Metadata
Compilation timestamp:
6/6/2009 4:41:48 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:9VlEntwovkpW0jbRZcjUOHXl8wuPWt+bDtFKs8L0dDj1+k+jlEntwovYJ:9V2woEW0jb6ZXWNQ+bDKs8vjj2wogJ

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9859

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file nsf443b.tmp has been seen being distributed by the following URL.

Remove nsf443b.tmp - Powered by Reason Core Security