nsq3dbf.tmp

Koyote-Lab Inc.

The file nsq3dbf.tmp by Koyote-Lab has been detected as a potentially unwanted program by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from download.cdn.fantastigames.com.
Publisher:
Koyote-Lab Inc.  (signed and verified)

Version:
4.1.0.3110

MD5:
e69df144496e02378cbb7d2c9212cef8

SHA-1:
4b82c1888731ca03b386d87257cdd74a36e0206e

SHA-256:
d502697105083f2a9afd29d1d8ec0a4b7093955adc9fdf847aa5fde2f66507a5

Scanner detections:
5 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 1:12:19 PM UTC  (today)

Scan engine
Detection
Engine version

Comodo Security
Heur.Suspicious
13572

ESET NOD32
Win32/Toolbar.SearchSuite (variant)
8.7487

Microsoft Security Essentials
Trojan:Win32/Startpage.gen!A
1.163.1557.0

Reason Heuristics
PUP.KoyoteLab.K
14.11.28.23

Trend Micro House Call
TROJ_GEN.F47V0903
7.2.332

File size:
4.4 MB (4,583,112 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\nsq3dbf.tmp

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
2/22/2012 6:00:00 PM

Valid to:
2/21/2014 5:59:59 PM

Subject:
CN=Koyote-Lab Inc., OU=DEV, O=Koyote-Lab Inc., L=Panama City, S=Panama, C=PA

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
7AD16C59E384A2E3D38D2287483F9B2B

File PE Metadata
Compilation timestamp:
12/5/2009 4:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:1t2/W3x/nyYjbtzdeXtIXZwA9A2UfB6FkFY1/fciinF0Xc0SOIEfUsDzbWd:2eB/nyYn0tIJRAab1MiWv0R/fDbg

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9994

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nsq3dbf.tmp has been seen being distributed by the following URL.

Remove nsq3dbf.tmp - Powered by Reason Core Security