nsr60d9.tmp

The file nsr60d9.tmp has been detected as a potentially unwanted program by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from s3.amazonaws.com. While running, it connects to the Internet address server-54-230-53-9.jfk6.r.cloudfront.net on port 80 using the HTTP protocol.
MD5:
02833e5d91a2442328a8b6e099c24eaf

SHA-1:
df83938230660a1a85aa4d2b3141c47b87335b6f

SHA-256:
e17c2c08c9d3159f5e0e04a7a7ba1ba6732313678b59f8d0545571fa2b8b68e2

Scanner detections:
5 / 68

Status:
Potentially unwanted

Analysis date:
11/16/2024 3:18:58 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.VOPackage
2015.12.03

Arcabit
PUP.Adware.ConvertAd
1.0.0.628

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.1027

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1077

Reason Heuristics
Adware.Generic.ABT (M)
16.2.29.18

File size:
123.4 KB (126,385 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\nsr60d9.tmp

File PE Metadata
Compilation timestamp:
12/6/2009 1:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:0gXdZt9P6D3XJh5m72/HtzN70xjx5e7Yco4sh:0e34T5m7UNN7MzeMcW

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nsr60d9.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-53-9.jfk6.r.cloudfront.net  (54.230.53.9:80)

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

Remove nsr60d9.tmp - Powered by Reason Core Security