nssg.exe

RecA

The executable nssg.exe has been detected as malware by 1 anti-virus scanner. It runs as a scheduled task under the Windows Task Scheduler named fetpoi triggered to execute each time a user logs in. The file has been seen being downloaded from a.pomf.cat.
Publisher:
RecA  (signed and verified)

MD5:
615085208d38e68a2f6a6d25da7d9596

SHA-1:
6daf5e7e3144ae8a659b955d24d534ffab67ba9c

SHA-256:
8732b883c11b228355b986aed0651f45484ead00d81d66722db8f8ab391b4d52

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/26/2024 5:34:49 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.12.29.7

File size:
309.4 KB (316,864 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\nssg.exe

Digital Signature
Signed by:

Authority:
RecA

Valid from:
7/3/2016 1:42:39 AM

Valid to:
7/4/2026 1:42:39 AM

Subject:
E=owner@reca.net, CN=www.reca.net, OU=Support Dept, O=RecA, L=Cologne, S=Sortil, C=DE

Issuer:
E=owner@reca.net, CN=www.reca.net, OU=Support Dept, O=RecA, L=Cologne, S=Sortil, C=DE

Serial number:
008FE7E51E617A60CF

File PE Metadata
Compilation timestamp:
7/5/2016 3:56:55 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

Entry address:
0x23CEE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.8356

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
136 KB (139,264 bytes)

Scheduled Task
Task name:
fetpoi

Path:
\Update\fetpoi

Trigger:
Logon (Runs on logon)


The file nssg.exe has been seen being distributed by the following URL.

https://a.pomf.cat/sgzvsu.exe

Remove nssg.exe - Powered by Reason Core Security