» nwgfa73.exe
Overview
Analysis
File Details
Downloads (1)
Network (3)

nwgfa73.exe

Installer

The application nwgfa73.exe has been detected as a potentially unwanted program by 30 anti-malware scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from d2imjp01y2qig5.cloudfront.net. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

nwgfa73.exe

Product:

Installer

Description:

Installer-H

Version:

1.0.0.0

MD5:

c5f897e9adb3848a97d1c0241ebd0bbd

SHA-1:

9dd92021bdfac9bc9a776ebebe7b3b9d9b53dd54

SHA-256:

cba7501958c3dcdb5ef40b73ed4e3458a8460f202b8ca8f32a3014b59e06dd3b

Scanner detections:

30 / 68

Status:

Potentially unwanted

Explanation:

The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:

11/24/2024 2:34:09 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Kazy.607544

398

Agnitum Outpost

PUA.Imali

7.1.1

AhnLab V3 Security

Adware/Win32.Imali

2015.12.25

Avira AntiVirus

TR/Dropper.MSIL.Gen

8.3.2.4

Arcabit

Trojan.Adware.Kazy.D94538

1.0.0.637

AVG

Downloader

2017.0.2876

Baidu Antivirus

Adware.MSIL.Imali

4.0.3.1613

Bitdefender

Gen:Variant.Adware.Kazy.607544

1.0.20.15

Comodo Security

ApplicUnwnt

23844

Dr.Web

Trojan.Crossrider1.50845

9.0.1.03

Emsisoft Anti-Malware

Gen:Variant.Adware.Kazy.607544

8.16.01.03.08

ESET NOD32

MSIL/Adware.Imali (variant)

10.12774

Fortinet FortiGate

Adware/Agent

1/3/2016

F-Secure

Gen:Variant.Adware.Kazy

11.2016-03-01_1

G Data

Gen:Variant.Adware.Kazy.607544

16.1.25

IKARUS anti.virus

PUA.MSIL.Downloader

t3scan.1.9.5.0

K7 AntiVirus

Adware

13.212.18222

Kaspersky

not-a-virus:AdWare.MSIL.Agent

14.0.0.873

Malwarebytes

PUP.Optional.Bundler

v2016.01.03.08

McAfee

Artemis!C5F897E9ADB3

5600.6532

MicroWorld eScan

Gen:Variant.Adware.Kazy.607544

17.0.0.9

NANO AntiVirus

Riskware.Win32.Crossrider1.dyftun

1.0.14.5317

Panda Antivirus

Trj/CI.A

16.01.03.08

Rising Antivirus

PE:Malware.Generic/QRS!1.9E2D [F]

23.00.65.16101

Sophos

Offer Installer (PUA)

4.98

Trend Micro

TROJ_GEN.R02KC0OKD15

10.465.03

Vba32 AntiVirus

AdWare.MSIL.Agent

3.12.26.4

VIPRE Antivirus

Adware.MSIL.Agent

46052

ViRobot

Adware.Imali.3006976[h]

2014.3.20.0

Zillya! Antivirus

Adware.Agent.Win32.84068

2.0.0.2578

File size:

2.9 MB (3,006,976 bytes)

Product version:

1.0.0.0

Original file name:

FinalInstaller_dotnet4.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\nwgfa73.exe

File PE Metadata

Compilation timestamp:

10/22/2015 10:11:07 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

49152:ZFZFUu6kcZwzMgmjjTySlH4eBjMxXRhCsQd:Z9NXc+zXmOaH4eZMxP

Entry address:

0x2D6F8E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

2.8 MB (2,969,600 bytes)

The file nwgfa73.exe has been seen being distributed by the following URL.

http://d2imjp01y2qig5.cloudfront.net/FinalInstaller_dotnet4.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

TCP (HTTP):

Connects to stats-182385724-1591972470.us-east-1.elb.amazonaws.com (54.221.252.69:80)

Remove nwgfa73.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.