home

nwgae97.exe

Installer

The application nwgae97.exe has been detected as a potentially unwanted program by 25 anti-malware scanners. This is a self-extracting archive and installer, however the file is not signed with an authenticode signature from a trusted source. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from d2imjp01y2qig5.cloudfront.net. While running, it connects to the Internet address www.ibbalance.com on port 443.
Product:
Installer

Description:
Installer-H

Version:
1.0.0.0

MD5:
3d65430a4c47c73a366c17997e4306ce

SHA-1:
17815d8566d2b691dc354ed5a81eb2da9205eef8

SHA-256:
212ff000ba4999168f3ea29fccd347a58980808e397c791d2de75be0a9dda3a3

Scanner detections:
25 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/24/2024 2:43:16 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Kazy.607544
271

AhnLab V3 Security
Adware/Win32.Imali
2016.05.05

Avira AntiVirus
TR/Dropper.MSIL.Gen
8.3.3.4

Arcabit
Trojan.Adware.Kazy.D94538
1.0.0.672

AVG
Downloader
2017.0.2749

Baidu Antivirus
Adware.MSIL.Imali
4.0.3.1658

Bitdefender
Gen:Variant.Adware.Kazy.607544
1.0.20.645

Comodo Security
ApplicUnwnt
24933

Dr.Web
Trojan.Crossrider1.53925
9.0.1.0129

Emsisoft Anti-Malware
Gen:Variant.Adware.Kazy.607544
8.16.05.08.12

ESET NOD32
MSIL/Adware.Imali (variant)
10.13440

Fortinet FortiGate
Adware/Imali
5/8/2016

F-Secure
Gen:Variant.Adware.Kazy
11.2016-08-05_1

G Data
Gen:Variant.Adware.Kazy.607544
16.5.25

IKARUS anti.virus
PUA.MSIL.Downloader
t3scan.2.0.9.0

K7 AntiVirus
Adware
13.224.19508

Kaspersky
not-a-virus:AdWare.MSIL.Agent
14.0.0.242

McAfee
Artemis!3D65430A4C47
5600.6405

MicroWorld eScan
Gen:Variant.Adware.Kazy.607544
17.0.0.387

NANO AntiVirus
Trojan.Win32.Imali.dydpby
1.0.30.8213

Panda Antivirus
Trj/CI.A
16.05.08.12

Sophos
Offer Installer (PUA)
4.98

Trend Micro
TROJ_GEN.R0EBC0OKD15
10.465.08

VIPRE Antivirus
Trojan.Win32.Generic
49146

Zillya! Antivirus
Downloader.Morstar.Win32.849
2.0.0.2842

File size:
2.9 MB (3,005,952 bytes)

Product version:
1.0.0.0

Original file name:
FinalInstaller_dotnet2.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\nwgae97.exe

File PE Metadata
Compilation timestamp:
10/22/2015 6:11:05 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:Gt2pfNhlzlHZOqgFouKodwUMwuBu+wCmouqYTgpSkqyE13TIy96eBjMxXSEhZbgk:b/ZFU4MgmjjTySlH4eBjMxXRhCs98

Entry address:
0x2D6AEE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.4343

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
2.8 MB (2,968,576 bytes)

The file nwgae97.exe has been seen being distributed by the following URL.

http://d2imjp01y2qig5.cloudfront.net/FinalInstaller_dotnet2.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.softologic.com  (174.37.181.31:80)

TCP (HTTP SSL):
Connects to www.ibbalance.com  (173.192.190.227:443)

Remove nwgae97.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.