nss32f.tmp

Installation

The file nss32f.tmp has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from m.ahlabahla97.com. While running, it connects to the Internet address ocsp.comodoca.com on port 80 using the HTTP protocol.
Product:
Installation

Version:
1.0.0.161

MD5:
0e696dfc832fd862697821591fcb9da5

SHA-1:
20f8139a76e1880cb4be514b4cbe633511a025dd

SHA-256:
1ec13a5dda42897726fe4b6faa690aee75619eb1decb54df0193ab50c655ff84

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 2:48:47 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.DownLoader14.41009
9.0.1.0198

Malwarebytes
PUP.Optional.TomorrowGames.A
v2015.06.18.04

Zillya! Antivirus
Trojan.Win32.1DB12147
2.0.0.2230

File size:
2 MB (2,106,377 bytes)

Product version:
1.0.0.161

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Turkish (Turkey)

Common path:
C:\users\{user}\appdata\local\temp\nss32f.tmp

File PE Metadata
Compilation timestamp:
12/6/2009 12:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:k8ITE8FCBLFF6F4VSXAPQC9EmrQugQird1lY:m4lLIXpoDN

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nss32f.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ocsp.comodoca.com  (178.255.83.1:80)

TCP (HTTP SSL):
Connects to ec2-54-68-135-85.us-west-2.compute.amazonaws.com  (54.68.135.85:443)

TCP (HTTP):

Remove nss32f.tmp - Powered by Reason Core Security