» nsh379f.tmp
Overview
Analysis
File Details
Downloads (18)
Network (48)

nsh379f.tmp

The file nsh379f.tmp has been detected as a potentially unwanted program by 24 anti-malware scanners. The file has been seen being downloaded from 113.171.224.210 and multiple other hosts. While running, it connects to the Internet address server-52-85-173-97.fra6.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

nsh379f.tmp

MD5:

0ccf900044e0e4edf36e89008e2c6aa7

SHA-1:

e5a8fa6169c7195369f39dc49676aac100d24807

SHA-256:

2fc12cef0024b894c930172960669d81bc39fc3c1be334013642cfa877e68de4

Scanner detections:

24 / 68

Status:

Potentially unwanted

Analysis date:

4/16/2024 3:59:17 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.2478098

576

Agnitum Outpost

PUA.Downware

7.1.1

AhnLab V3 Security

Adware/Win32.Downware

2015.07.07

Avira AntiVirus

TR/Dldr.Agent.254464.4

8.3.1.6

Arcabit

Trojan.Generic.D25D012

1.0.0.425

avast!

Win32:Adware-gen [Adw]

2014.9-150709

Baidu Antivirus

Trojan.Win32.Downloader

4.0.3.15610

Bitdefender

Trojan.GenericKD.2478098

1.0.20.950

Dr.Web

Adware.Downware.11745

9.0.1.0190

Emsisoft Anti-Malware

Trojan.GenericKD.2478098

8.15.07.09.09

Fortinet FortiGate

W32/Generic!tr.dldr

7/9/2015

F-Secure

Trojan.GenericKD.2478098

11.2015-09-07_5

G Data

Trojan.GenericKD.2478098

15.7.25

IKARUS anti.virus

Trojan.SuspectCRC

t3scan.1.9.5.0

Kaspersky

HEUR:Trojan-Downloader.Win32.Generic

14.0.0.1909

Malwarebytes

PUP.Optional.PreInstaller.A

v2015.07.09.09

McAfee

Artemis!0CCF900044E0

5600.6710

MicroWorld eScan

Trojan.GenericKD.2478098

16.0.0.570

NANO AntiVirus

Riskware.Win32.Downware.dsxeuy

0.30.24.2487

nProtect

Trojan.GenericKD.2478098

15.07.06.01

Panda Antivirus

Trj/Chgt.O

15.07.09.09

Reason Heuristics

Threat.Win.Reputation.IMP

15.7.11.22

Trend Micro

TROJ_GEN.R00JC0EFL15

10.465.09

ViRobot

Trojan.Win32.S.Agent.254464.DP[h]

2014.3.20.0

File size:

248.5 KB (254,464 bytes)

Common path:

C:\users\{user}\appdata\local\temp\nsh379f.tmp

File PE Metadata

Compilation timestamp:

6/10/2015 11:04:52 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

3072:lW4xDGJt0uU5cQzq7Wf9NU4e/mecm38dZNWcPzX318eoV/hTdaQ58HcjoJM8:k4MbC5Vz1U4Lecm323Wcb18BN2HJM8

Entry address:

0x1340A

Entry point:

E8, F1, 78, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 08, 44, 42, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, D0, 40, 42, 00, C9, C2, 08, 00, FF, 35, 00, D2, 42, 00, FF, 15, A4, 40, 42, 00, 85, C0, 74, 02, FF, D0, 6A, 19, E8, E2, 70, 00, 00, 6A, 01, 6A, 00, E8, ED, 2B, 00, 00, 83, C4, 0C, E9, B2, 2B, 00, 00... 
[+]

Entropy:

5.6308

Code size:

138 KB (141,312 bytes)

The file nsh379f.tmp has been seen being distributed by the following 18 URLs.

http://113.171.224.210/.../setup_362.exe

http://113.31.46.204:81/1Q2W3E4R5T6Y7U8I9O0P1Z2X3C4V5B/.../setup_362.exe

http://113.171.224.177/.../setup_362.exe

http://41.223.201.247/.../setup_362.exe

http://201.31.162.85/cache/.../setup_362.exe

http://211.81.63.3/files/80170000007124BD/.../setup_362.exe

http://113.171.224.242/.../setup_362.exe

http://113.171.224.176/.../setup_362.exe

http://91.194.162.11/.../setup_362.exe

http://113.171.224.203/.../setup_362.exe

http://113.171.224.178/.../setup_362.exe

http://201.31.162.87/cache/.../setup_362.exe

http://223.27.200.4/.../setup_362.exe

http://113.171.224.208/.../setup_362.exe

http://113.171.224.243/.../setup_362.exe

http://113.171.224.209/.../setup_362.exe

http://113.171.224.168/.../setup_362.exe

http://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-52-1-45-42.compute-1.amazonaws.com (52.1.45.42:80)

TCP (HTTP):

Connects to euve246913.serverprofi24.com (62.75.142.165:80)

TCP (HTTP):

Connects to server-54-230-95-176.fra2.r.cloudfront.net (54.230.95.176:80)

TCP (HTTP):

Connects to server-54-230-216-253.mrs50.r.cloudfront.net (54.230.216.253:80)

TCP (HTTP):

Connects to server-54-230-0-67.lhr5.r.cloudfront.net (54.230.0.67:80)

TCP (HTTP):

Connects to server-54-230-0-61.lhr5.r.cloudfront.net (54.230.0.61:80)

TCP (HTTP):

Connects to server-54-230-0-169.lhr5.r.cloudfront.net (54.230.0.169:80)

TCP (HTTP):

Connects to server-52-85-221-216.cdg50.r.cloudfront.net (52.85.221.216:80)

TCP (HTTP):

Connects to server-52-85-173-123.fra6.r.cloudfront.net (52.85.173.123:80)

TCP (HTTP):

Connects to server-52-84-246-39.sfo20.r.cloudfront.net (52.84.246.39:80)

TCP (HTTP):

Connects to server-52-84-246-182.sfo20.r.cloudfront.net (52.84.246.182:80)

TCP (HTTP):

Connects to server-52-84-246-100.sfo20.r.cloudfront.net (52.84.246.100:80)

TCP (HTTP):

Connects to server-54-240-186-83.mad50.r.cloudfront.net (54.240.186.83:80)

TCP (HTTP):

Connects to server-54-240-186-247.mad50.r.cloudfront.net (54.240.186.247:80)

TCP (HTTP):

Connects to server-54-239-132-8.sfo9.r.cloudfront.net (54.239.132.8:80)

TCP (HTTP):

Connects to server-54-239-132-64.sfo9.r.cloudfront.net (54.239.132.64:80)

TCP (HTTP):

Connects to server-54-239-132-117.sfo9.r.cloudfront.net (54.239.132.117:80)

TCP (HTTP):

Connects to server-54-230-95-187.fra2.r.cloudfront.net (54.230.95.187:80)

TCP (HTTP):

Connects to server-54-230-95-134.fra2.r.cloudfront.net (54.230.95.134:80)

TCP (HTTP):

Connects to server-54-230-81-25.mia50.r.cloudfront.net (54.230.81.25:80)

Remove nsh379f.tmp - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.