nsme4a5.tmp

The file nsme4a5.tmp has been detected as malware by 24 anti-virus scanners. The file has been seen being downloaded from 3qx99u3-03bqrjm1.netdna-ssl.com. While running, it connects to the Internet address server-205-251-251-178.jfk5.r.cloudfront.net on port 80 using the HTTP protocol.
Version:
2.11.0.999

MD5:
5d494d8859f92d5909b9171be7893d9f

SHA-1:
8581fbed23747e8b070d7ef23c9da56ec5657708

SHA-256:
ab3a6d19506b4c3bbc35136661f85a8b124a1c5ee28666a388ccdf0ca3a2cc4c

Scanner detections:
24 / 68

Status:
Malware

Analysis date:
11/25/2017 9:00:10 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Strictor.96318
471

Agnitum Outpost
Trojan.DR.Agent
7.1.1

Antiy Labs AVL
Trojan[Dropper]/Win32.Agent
1.0.0.1

Arcabit
Trojan.Strictor.D1783E
1.0.0.582

avast!
Win32:Dropper-gen [Drp]
2014.9-151022

Baidu Antivirus
Trojan.Win32.Dropper.bjppjt
4.0.3.151022

Bitdefender
Gen:Variant.Strictor.96318
1.0.20.1475

Dr.Web
Trojan.DownLoader16.32004
9.0.1.0295

Emsisoft Anti-Malware
Gen:Variant.Strictor.96318
8.15.10.22.05

Fortinet FortiGate
W32/Agent.BJPPJT!tr
10/22/2015

F-Secure
Gen:Variant.Strictor.96318
11.2015-22-10_5

G Data
Gen:Variant.Strictor.96318
15.10.25

K7 Gateway Antivirus
Riskware
13.210.17545

Kaspersky
Trojan-Dropper.Win32.Agent.bjppjt
14.0.0.1239

McAfee
GenericR-EOA!5D494D8859F9
5600.6605

McAfee Web Gateway
GenericR-EOA!5D494D8859F9
7.6605

MicroWorld eScan
Gen:Variant.Strictor.96318
16.0.0.885

NANO AntiVirus
Trojan.Win32.Agent.dxbzoc
0.30.26.3947

Panda Antivirus
Trj/Genetic.gen
15.10.22.05

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
15.11.6.15

Sophos
Mal/Generic-S
4.98

Trend Micro
TROJ_GEN.R00XC0EJ115
10.465.22

Zillya! Antivirus
Dropper.Agent.Win32.218362
2.0.0.2447

File size:
1.4 MB (1,511,936 bytes)

Product version:
2.11.0.999

Copyright:
Copyright (C) 2014

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\nsme4a5.tmp

File PE Metadata
Compilation timestamp:
9/17/2015 9:42:27 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
24576:ZU7sSnqci60+NMEUZu6TStAwEdA74Y+5pexGz9WQv8DpBFrKnWm3+RDggbhb:mRv0+NMEUZucStA7A11pBFrqWm3+Fgg9

Entry address:
0xAB428

Entry point:
E8, 4F, CE, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, 58, FC, 53, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, 80, C7, 53, 00, 01, 0F, 82, 80, CF, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0...
 
[+]

Entropy:
6.2556

Code size:
932.5 KB (954,880 bytes)

The file nsme4a5.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-50-86.jfk5.r.cloudfront.net  (54.230.50.86:80)

TCP (HTTP):
Connects to server-54-230-50-78.jfk5.r.cloudfront.net  (54.230.50.78:80)

TCP (HTTP):
Connects to server-54-230-39-68.jfk1.r.cloudfront.net  (54.230.39.68:80)

TCP (HTTP):
Connects to server-54-230-39-62.jfk1.r.cloudfront.net  (54.230.39.62:80)

TCP (HTTP):
Connects to server-54-230-39-35.jfk1.r.cloudfront.net  (54.230.39.35:80)

TCP (HTTP):
Connects to server-54-230-39-188.jfk1.r.cloudfront.net  (54.230.39.188:80)

TCP (HTTP):
Connects to server-54-230-38-173.jfk1.r.cloudfront.net  (54.230.38.173:80)

TCP (HTTP):
Connects to server-54-230-36-112.jfk1.r.cloudfront.net  (54.230.36.112:80)

TCP (HTTP):
Connects to server-54-192-36-131.jfk1.r.cloudfront.net  (54.192.36.131:80)

TCP (HTTP):
Connects to server-205-251-251-76.jfk5.r.cloudfront.net  (205.251.251.76:80)

TCP (HTTP):
Connects to server-205-251-251-72.jfk5.r.cloudfront.net  (205.251.251.72:80)

TCP (HTTP):
Connects to server-205-251-251-69.jfk5.r.cloudfront.net  (205.251.251.69:80)

TCP (HTTP):
Connects to server-205-251-251-25.jfk5.r.cloudfront.net  (205.251.251.25:80)

TCP (HTTP):
Connects to server-205-251-251-241.jfk5.r.cloudfront.net  (205.251.251.241:80)

TCP (HTTP):
Connects to server-205-251-251-24.jfk5.r.cloudfront.net  (205.251.251.24:80)

TCP (HTTP):
Connects to server-205-251-251-217.jfk5.r.cloudfront.net  (205.251.251.217:80)

TCP (HTTP):
Connects to server-205-251-251-206.jfk5.r.cloudfront.net  (205.251.251.206:80)

TCP (HTTP):
Connects to server-205-251-251-203.jfk5.r.cloudfront.net  (205.251.251.203:80)

TCP (HTTP):
Connects to server-205-251-251-178.jfk5.r.cloudfront.net  (205.251.251.178:80)

TCP (HTTP):
Connects to server-205-251-251-135.jfk5.r.cloudfront.net  (205.251.251.135:80)

Remove nsme4a5.tmp - Powered by Reason Core Security