nsm1479.tmp

Setup

LLC

The file nsm1479.tmp by LLC has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 113.171.224.244 and multiple other hosts.
Publisher:
Open Source  (signed by LLC )

Product:
Setup

Version:
1.2

MD5:
1ff1329b6ea0796a5b678f8ff50eaaba

SHA-1:
e72d35fd3b870be9bd2c3bd6dcefd8c9edcffa34

SHA-256:
b192d921da9d0382f271c46baa47efcba46b3fa80052170fc58bbf4816fc25c5

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/24/2024 10:40:59 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.12.20.2

File size:
4.4 MB (4,645,328 bytes)

Product version:
1.2

Copyright:
2015 - Open Source

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\nsm1479.tmp

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
5/7/2015 8:00:00 AM

Valid to:
5/7/2016 7:59:59 AM

Subject:
CN="LLC ""YOPTA SOFT""", O="LLC ""YOPTA SOFT""", STREET="str.Tsytadelna, 7", L=Kiev, S=Kiev, PostalCode=01015, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
1CAFDF1C4C426FC3DD811D48793D99C9

File PE Metadata
Compilation timestamp:
8/5/2015 8:47:32 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:LgV4ygrdsT1UA1PfiEIQ+OLg8bTmaT7OcELB8wV:Lu4vpapKE3L3bTmaT7HELBhV

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 67, 44, 00, E8, 05, 2E, 00, 00, A3, 04, 67, 44, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, 94, 42, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 27, 44, 00, E8, AF, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, F0, 46, 00, 50, 55, E8, 9D, 2A...
 
[+]

Entropy:
7.9987

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nsm1479.tmp has been seen being distributed by the following 3 URLs.

http://113.171.224.244/.../Cdn.exe

http://113.171.224.210/.../Cdn.exe

Remove nsm1479.tmp - Powered by Reason Core Security