nsv3108.tmp

The file nsv3108.tmp has been detected as a potentially unwanted program by 14 anti-malware scanners. The file has been seen being downloaded from d24u51ac8ybaqu.cloudfront.net. While running, it connects to the Internet address server-54-230-39-33.jfk1.r.cloudfront.net on port 443.
MD5:
5a66305d13f88c718bb4dff1b0450e10

SHA-1:
ec2bab8788071f7316a6307f8f6dae56db55815e

SHA-256:
dfd6450dbd99c3c4b241af41e4b76f63402372843be942cc828570f62694f899

Scanner detections:
14 / 68

Status:
Potentially unwanted

Explanation:
May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:
12/24/2024 12:34:27 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Mikey.28503
5695792

AhnLab V3 Security
PUP/Win32.CrossRider
2015.12.03

Avira AntiVirus
TR/Taranis.399
8.3.2.4

Arcabit
Trojan.Mikey.D6F57
1.0.0.628

Bitdefender
Gen:Variant.Mikey.28503
1.0.20.1680

Emsisoft Anti-Malware
Gen:Variant.Mikey.28503
10.0.0.5366

F-Secure
Gen:Variant.Mikey.28503
11.2015-02-12_4

G Data
Gen:Variant.Mikey.28503
15.12.25

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.1031

Malwarebytes
Trojan.Agent
v2015.12.02.06

MicroWorld eScan
Gen:Variant.Mikey.28503
16.0.0.1008

Norman
Gen:Variant.Mikey.28503
07.10.2015 03:16:12

Panda Antivirus
Trj/Genetic.gen
15.12.02.06

Qihoo 360 Security
HEUR/QVM08.0.Malware.Gen
1.0.0.1077

File size:
10 KB (10,240 bytes)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\nsv3108.tmp

File PE Metadata
Compilation timestamp:
12/2/2015 7:57:36 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
192:SwDjotoVqTsbqIXPXGU5xIhHCDhvar5LJ6AJV8S:RjotoVUscOStQAJ6S

Entry address:
0x1000

Entry point:
6A, 70, 68, 38, 23, 40, 00, E8, F8, 01, 00, 00, 33, DB, 89, 5D, FC, 8D, 45, 80, 50, FF, 15, 00, 20, 40, 00, 83, CF, FF, 89, 7D, FC, 66, 81, 3D, 00, 00, 40, 00, 4D, 5A, 75, 28, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, 17, 0F, B7, 88, 18, 00, 40, 00, 81, F9, 0B, 01, 00, 00, 74, 20, 81, F9, 0B, 02, 00, 00, 74, 05, 89, 5D, E4, EB, 2A, 83, B8, 84, 00, 40, 00, 0E, 76, F2, 33, C9, 39, 98, F8, 00, 40, 00, EB, 11, 83, B8, 74, 00, 40, 00, 0E, 76, DF, 33, C9, 39, 98, E8, 00, 40, 00, 0F, 95, C1...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
3 KB (3,072 bytes)

The file nsv3108.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-230-39-33.jfk1.r.cloudfront.net  (54.230.39.33:443)

TCP (HTTP SSL):
Connects to server-54-192-54-195.jfk6.r.cloudfront.net  (54.192.54.195:443)

TCP (HTTP SSL):
Connects to server-54-192-36-126.jfk1.r.cloudfront.net  (54.192.36.126:443)

Remove nsv3108.tmp - Powered by Reason Core Security