nsh379f.tmp

The file nsh379f.tmp has been detected as a potentially unwanted program by 24 anti-malware scanners. The file has been seen being downloaded from 113.171.224.210 and multiple other hosts. While running, it connects to the Internet address server-52-85-173-97.fra6.r.cloudfront.net on port 80 using the HTTP protocol.
MD5:
0ccf900044e0e4edf36e89008e2c6aa7

SHA-1:
e5a8fa6169c7195369f39dc49676aac100d24807

SHA-256:
2fc12cef0024b894c930172960669d81bc39fc3c1be334013642cfa877e68de4

Scanner detections:
24 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 10:51:25 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2478098
576

Agnitum Outpost
PUA.Downware
7.1.1

AhnLab V3 Security
Adware/Win32.Downware
2015.07.07

Avira AntiVirus
TR/Dldr.Agent.254464.4
8.3.1.6

Arcabit
Trojan.Generic.D25D012
1.0.0.425

avast!
Win32:Adware-gen [Adw]
2014.9-150709

Baidu Antivirus
Trojan.Win32.Downloader
4.0.3.15610

Bitdefender
Trojan.GenericKD.2478098
1.0.20.950

Dr.Web
Adware.Downware.11745
9.0.1.0190

Emsisoft Anti-Malware
Trojan.GenericKD.2478098
8.15.07.09.09

Fortinet FortiGate
W32/Generic!tr.dldr
7/9/2015

F-Secure
Trojan.GenericKD.2478098
11.2015-09-07_5

G Data
Trojan.GenericKD.2478098
15.7.25

IKARUS anti.virus
Trojan.SuspectCRC
t3scan.1.9.5.0

Kaspersky
HEUR:Trojan-Downloader.Win32.Generic
14.0.0.1909

Malwarebytes
PUP.Optional.PreInstaller.A
v2015.07.09.09

McAfee
Artemis!0CCF900044E0
5600.6710

MicroWorld eScan
Trojan.GenericKD.2478098
16.0.0.570

NANO AntiVirus
Riskware.Win32.Downware.dsxeuy
0.30.24.2487

nProtect
Trojan.GenericKD.2478098
15.07.06.01

Panda Antivirus
Trj/Chgt.O
15.07.09.09

Reason Heuristics
Threat.Win.Reputation.IMP
15.7.11.22

Trend Micro
TROJ_GEN.R00JC0EFL15
10.465.09

ViRobot
Trojan.Win32.S.Agent.254464.DP[h]
2014.3.20.0

File size:
248.5 KB (254,464 bytes)

Common path:
C:\users\{user}\appdata\local\temp\nsh379f.tmp

File PE Metadata
Compilation timestamp:
6/10/2015 11:04:52 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:lW4xDGJt0uU5cQzq7Wf9NU4e/mecm38dZNWcPzX318eoV/hTdaQ58HcjoJM8:k4MbC5Vz1U4Lecm323Wcb18BN2HJM8

Entry address:
0x1340A

Entry point:
E8, F1, 78, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 08, 44, 42, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, D0, 40, 42, 00, C9, C2, 08, 00, FF, 35, 00, D2, 42, 00, FF, 15, A4, 40, 42, 00, 85, C0, 74, 02, FF, D0, 6A, 19, E8, E2, 70, 00, 00, 6A, 01, 6A, 00, E8, ED, 2B, 00, 00, 83, C4, 0C, E9, B2, 2B, 00, 00...
 
[+]

Entropy:
5.6308

Code size:
138 KB (141,312 bytes)

The file nsh379f.tmp has been seen being distributed by the following 18 URLs.

http://113.171.224.210/.../setup_362.exe

http://113.31.46.204:81/1Q2W3E4R5T6Y7U8I9O0P1Z2X3C4V5B/.../setup_362.exe

http://113.171.224.177/.../setup_362.exe

http://41.223.201.247/.../setup_362.exe

http://201.31.162.85/cache/.../setup_362.exe

http://211.81.63.3/files/80170000007124BD/.../setup_362.exe

http://113.171.224.242/.../setup_362.exe

http://113.171.224.176/.../setup_362.exe

http://91.194.162.11/.../setup_362.exe

http://113.171.224.203/.../setup_362.exe

http://113.171.224.178/.../setup_362.exe

http://201.31.162.87/cache/.../setup_362.exe

http://223.27.200.4/.../setup_362.exe

http://113.171.224.208/.../setup_362.exe

http://113.171.224.243/.../setup_362.exe

http://113.171.224.209/.../setup_362.exe

http://113.171.224.168/.../setup_362.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

TCP (HTTP):
Connects to euve246913.serverprofi24.com  (62.75.142.165:80)

TCP (HTTP):
Connects to server-54-230-95-176.fra2.r.cloudfront.net  (54.230.95.176:80)

TCP (HTTP):
Connects to server-54-230-216-253.mrs50.r.cloudfront.net  (54.230.216.253:80)

TCP (HTTP):
Connects to server-54-230-0-67.lhr5.r.cloudfront.net  (54.230.0.67:80)

TCP (HTTP):
Connects to server-54-230-0-61.lhr5.r.cloudfront.net  (54.230.0.61:80)

TCP (HTTP):
Connects to server-54-230-0-169.lhr5.r.cloudfront.net  (54.230.0.169:80)

TCP (HTTP):
Connects to server-52-85-221-216.cdg50.r.cloudfront.net  (52.85.221.216:80)

TCP (HTTP):
Connects to server-52-85-173-123.fra6.r.cloudfront.net  (52.85.173.123:80)

TCP (HTTP):
Connects to server-52-84-246-39.sfo20.r.cloudfront.net  (52.84.246.39:80)

TCP (HTTP):
Connects to server-52-84-246-182.sfo20.r.cloudfront.net  (52.84.246.182:80)

TCP (HTTP):
Connects to server-52-84-246-100.sfo20.r.cloudfront.net  (52.84.246.100:80)

TCP (HTTP):
Connects to server-54-240-186-83.mad50.r.cloudfront.net  (54.240.186.83:80)

TCP (HTTP):
Connects to server-54-240-186-247.mad50.r.cloudfront.net  (54.240.186.247:80)

TCP (HTTP):
Connects to server-54-239-132-8.sfo9.r.cloudfront.net  (54.239.132.8:80)

TCP (HTTP):
Connects to server-54-239-132-64.sfo9.r.cloudfront.net  (54.239.132.64:80)

TCP (HTTP):
Connects to server-54-239-132-117.sfo9.r.cloudfront.net  (54.239.132.117:80)

TCP (HTTP):
Connects to server-54-230-95-187.fra2.r.cloudfront.net  (54.230.95.187:80)

TCP (HTTP):
Connects to server-54-230-95-134.fra2.r.cloudfront.net  (54.230.95.134:80)

TCP (HTTP):
Connects to server-54-230-81-25.mia50.r.cloudfront.net  (54.230.81.25:80)

Remove nsh379f.tmp - Powered by Reason Core Security