home

nsme4a5.tmp

The file nsme4a5.tmp has been detected as malware by 21 anti-virus scanners. The file has been seen being downloaded from 3qx99u3-03bqrjm1.netdna-ssl.com. While running, it connects to the Internet address server-205-251-251-178.jfk5.r.cloudfront.net on port 80 using the HTTP protocol.
Version:
2.11.0.999

MD5:
5d494d8859f92d5909b9171be7893d9f

SHA-1:
8581fbed23747e8b070d7ef23c9da56ec5657708

SHA-256:
ab3a6d19506b4c3bbc35136661f85a8b124a1c5ee28666a388ccdf0ca3a2cc4c

Scanner detections:
21 / 68

Status:
Malware

Analysis date:
4/28/2024 4:17:17 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Strictor.96318
471

Agnitum Outpost
Trojan.DR.Agent
7.1.1

Arcabit
Trojan.Strictor.D1783E
1.0.0.582

avast!
Win32:Dropper-gen [Drp]
2014.9-151022

Baidu Antivirus
Trojan.Win32.Dropper.bjppjt
4.0.3.151022

Bitdefender
Gen:Variant.Strictor.96318
1.0.20.1475

Dr.Web
Trojan.DownLoader16.32004
9.0.1.0295

Emsisoft Anti-Malware
Gen:Variant.Strictor.96318
8.15.10.22.05

Fortinet FortiGate
W32/Agent.BJPPJT!tr
10/22/2015

F-Secure
Gen:Variant.Strictor.96318
11.2015-22-10_5

G Data
Gen:Variant.Strictor.96318
15.10.25

Kaspersky
Trojan-Dropper.Win32.Agent.bjppjt
14.0.0.1239

McAfee
GenericR-EOA!5D494D8859F9
5600.6605

MicroWorld eScan
Gen:Variant.Strictor.96318
16.0.0.885

NANO AntiVirus
Trojan.Win32.Agent.dxbzoc
0.30.26.3947

Panda Antivirus
Trj/Genetic.gen
15.10.22.05

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
15.11.6.15

Sophos
Mal/Generic-S
4.98

Trend Micro
TROJ_GEN.R00XC0EJ115
10.465.22

Zillya! Antivirus
Dropper.Agent.Win32.218362
2.0.0.2447

File size:
1.4 MB (1,511,936 bytes)

Product version:
2.11.0.999

Copyright:
Copyright (C) 2014

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\nsme4a5.tmp

File PE Metadata
Compilation timestamp:
9/17/2015 9:42:27 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:ZU7sSnqci60+NMEUZu6TStAwEdA74Y+5pexGz9WQv8DpBFrKnWm3+RDggbhb:mRv0+NMEUZucStA7A11pBFrqWm3+Fgg9

Entry address:
0xAB428

Entry point:
E8, 4F, CE, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, 58, FC, 53, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, 80, C7, 53, 00, 01, 0F, 82, 80, CF, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0...
 
[+]

Entropy:
6.2556

Code size:
932.5 KB (954,880 bytes)

The file nsme4a5.tmp has been seen being distributed by the following URL.

https://3qx99u3-03bqrjm1.netdna-ssl.com/.../braieftpav_ftpbl_setup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-50-86.jfk5.r.cloudfront.net  (54.230.50.86:80)

TCP (HTTP):
Connects to server-54-230-50-78.jfk5.r.cloudfront.net  (54.230.50.78:80)

TCP (HTTP):
Connects to server-54-230-39-68.jfk1.r.cloudfront.net  (54.230.39.68:80)

TCP (HTTP):
Connects to server-54-230-39-62.jfk1.r.cloudfront.net  (54.230.39.62:80)

TCP (HTTP):
Connects to server-54-230-39-35.jfk1.r.cloudfront.net  (54.230.39.35:80)

TCP (HTTP):
Connects to server-54-230-39-188.jfk1.r.cloudfront.net  (54.230.39.188:80)

TCP (HTTP):
Connects to server-54-230-38-173.jfk1.r.cloudfront.net  (54.230.38.173:80)

TCP (HTTP):
Connects to server-54-230-36-112.jfk1.r.cloudfront.net  (54.230.36.112:80)

TCP (HTTP):
Connects to server-54-192-36-131.jfk1.r.cloudfront.net  (54.192.36.131:80)

TCP (HTTP):
Connects to server-205-251-251-76.jfk5.r.cloudfront.net  (205.251.251.76:80)

TCP (HTTP):
Connects to server-205-251-251-72.jfk5.r.cloudfront.net  (205.251.251.72:80)

TCP (HTTP):
Connects to server-205-251-251-69.jfk5.r.cloudfront.net  (205.251.251.69:80)

TCP (HTTP):
Connects to server-205-251-251-25.jfk5.r.cloudfront.net  (205.251.251.25:80)

TCP (HTTP):
Connects to server-205-251-251-241.jfk5.r.cloudfront.net  (205.251.251.241:80)

TCP (HTTP):
Connects to server-205-251-251-24.jfk5.r.cloudfront.net  (205.251.251.24:80)

TCP (HTTP):
Connects to server-205-251-251-217.jfk5.r.cloudfront.net  (205.251.251.217:80)

TCP (HTTP):
Connects to server-205-251-251-206.jfk5.r.cloudfront.net  (205.251.251.206:80)

TCP (HTTP):
Connects to server-205-251-251-203.jfk5.r.cloudfront.net  (205.251.251.203:80)

TCP (HTTP):
Connects to server-205-251-251-178.jfk5.r.cloudfront.net  (205.251.251.178:80)

TCP (HTTP):
Connects to server-205-251-251-135.jfk5.r.cloudfront.net  (205.251.251.135:80)

Remove nsme4a5.tmp - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.