nsxe920.tmp

The file nsxe920.tmp has been detected as a potentially unwanted program by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from s3.amazonaws.com. While running, it connects to the Internet address server-205-251-251-17.jfk5.r.cloudfront.net on port 80 using the HTTP protocol.
MD5:
b6ee1ce3955eb686afcb022b9e7b289a

SHA-1:
d22974d96e0e82abab9a2b34202b5b5c8a6f0a5e

SHA-256:
f3fc8c0ddb80f86af8f9f9a5a5c449c351da0aa57e947f76087d2d065e853ef7

Scanner detections:
5 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 12:36:26 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Agent
2015.09.05

Arcabit
PUP.Adware.ConvertAd
1.0.0.425

Dr.Web
Adware.Downware.11745
9.0.1.0283

Kaspersky
not-a-virus:HEUR:AdWare.Win32.ConvertAd
14.0.0.1297

Panda Antivirus
Generic Suspicious
15.10.10.02

File size:
121.2 KB (124,154 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\nsxe920.tmp

File PE Metadata
Compilation timestamp:
12/6/2009 1:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:ygXdZt9P6D3XJAcnVwmnURMoWPD/RpkOo4sM:ye34Pwm4El1L

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.7607

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nsxe920.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-50-172.jfk5.r.cloudfront.net  (54.230.50.172:80)

TCP (HTTP):
Connects to server-54-230-39-137.jfk1.r.cloudfront.net  (54.230.39.137:80)

TCP (HTTP):
Connects to server-54-230-38-232.jfk1.r.cloudfront.net  (54.230.38.232:80)

TCP (HTTP):
Connects to server-54-230-38-211.jfk1.r.cloudfront.net  (54.230.38.211:80)

TCP (HTTP):
Connects to server-54-230-38-165.jfk1.r.cloudfront.net  (54.230.38.165:80)

TCP (HTTP):
Connects to server-54-192-36-76.jfk1.r.cloudfront.net  (54.192.36.76:80)

TCP (HTTP):
Connects to server-54-192-36-65.jfk1.r.cloudfront.net  (54.192.36.65:80)

TCP (HTTP):
Connects to server-205-251-251-17.jfk5.r.cloudfront.net  (205.251.251.17:80)

TCP (HTTP):
Connects to server-205-251-251-16.jfk5.r.cloudfront.net  (205.251.251.16:80)

TCP (HTTP):
Connects to ec2-54-235-132-107.compute-1.amazonaws.com  (54.235.132.107:80)

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

TCP (HTTP):
Connects to ec2-107-21-122-166.compute-1.amazonaws.com  (107.21.122.166:80)

TCP (HTTP):
Connects to dl21.clickmein.com  (216.227.128.186:80)

Remove nsxe920.tmp - Powered by Reason Core Security