home

wtf_-_ncika_prod_by_.exe

Tolaracol

Gesuk

The executable wtf_-_ncika_prod_by_.exe, “Tolaracol Setup ” has been detected as malware by 5 anti-virus scanners. This is a setup and installation application, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from www.flashdownloadtours.com.
Publisher:
Gesuk

Product:
Tolaracol

Description:
Tolaracol Setup

MD5:
dba0e2fb50d892646a58215b5958bb89

SHA-1:
c9d04b5a003417a76b873f0caf997c1aaffdd493

SHA-256:
1b8051b7da09599bd38bdd1e5e8a0980692e8d03bf2a8fff699af7a5a85654cb

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
1/12/2025 6:00:23 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:SaliCode
160708-3

AVG
Win32/Sality
2015.0.4591

ESET NOD32
Win32/Sality.NBA virus
8.0.319.0

F-Prot
W32/Sality.gen2
4.6.5.141

Microsoft Security Essentials
Threat.Undefined
1.225.1578.0

File size:
1009.2 KB (1,033,440 bytes)

Product version:
5.7

Copyright:
Stub

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\wtf_-_ncika_prod_by_.exe

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:N77lXsvM8rOd0KGPeI5MHCHtwysk7A9AIZpulmYmdP1c33SjeP3:N7Z8JyqPTKCtZs0A9Al6dP1mSi/

Entry address:
0xAA98

Entry point:
60, EB, 03, 80, E8, A4, 78, 01, 4B, 3D, 2E, 00, 00, 00, 75, 08, F7, C2, 43, 2C, F4, 20, 8A, F3, F6, C7, BF, 8D, 15, EB, 16, 07, 41, 3D, 2F, 4F, 00, 00, 8B, FF, FF, C5, 38, D0, 0A, ED, 88, F2, 85, F9, 28, E9, E8, 31, 00, 00, 00, 75, 0F, F6, C7, 45, 81, C3, F5, 95, 31, 6E, 8D, 15, 09, 14, 2F, B0, 2D, CD, 16, D5, 42, 8A, DA, 89, D8, 87, CE, 0F, B6, C3, 88, C0, 57, 70, 0A, 2A, FF, 2D, EC, 8A, B9, FA, F6, C3, A3, 5F, 84, E2, 5E, FE, C9, 1A, D3, 86, D2, 8D, 0D, C5, 1A, 56, 1A, 05, 0F, 53, 43, A7, FF, C7, 87, CA...
 
[+]

Entropy:
7.9405  (probably packed)

Code size:
40.5 KB (41,472 bytes)

The file wtf_-_ncika_prod_by_.exe has been seen being distributed by the following URL.

http://www.flashdownloadtours.com/c?x=hfQYTVe/4177TxMXgzuhCRIvbzU 1btgRknZKu4LOmY=&c=Ab2r4DAzXK74QHOkf3Fh3b/tWi j etWFDh0d8KTseDI7aIWFU2Oesi CePC3Ab053sJfIq8Ifkg4Dw3PhFBleeR9rDyzsQ43aXMOP5EUOb/ajOvxsgDoe7d LBWDOUE&downloadAs=WTF_-_NCIKA_prod_by_.exe&fallback_url=http://.../get.php?file=a03ba809&m3

Remove wtf_-_ncika_prod_by_.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.