nso34ca.tmp

The file nso34ca.tmp has been detected as malware by 9 anti-virus scanners. The file has been seen being downloaded from d24u51ac8ybaqu.cloudfront.net. While running, it connects to the Internet address server-54-192-55-132.jfk6.r.cloudfront.net on port 443.
MD5:
2b60a402339a27a0eb3467ee78ea3470

SHA-1:
13b03365a6206ca397f5c3080d0f0cfe28e90524

SHA-256:
7c0508d1355b0d7478dfc30b89294a7cd2faafc8da3f3a1b01577ff24bacaa06

Scanner detections:
9 / 68

Status:
Malware

Analysis date:
11/25/2017 7:00:16 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Taranis.399
8.3.2.4

Arcabit
Trojan.Mikey.D706F
1.0.0.628

Bitdefender
Gen:Variant.Mikey.28783
1.0.20.1685

Emsisoft Anti-Malware
Gen:Variant.Mikey.28783
8.15.12.03.06

F-Secure
Gen:Variant.Mikey.28783
11.2015-03-12_5

G Data
Gen:Variant.Mikey.28783
15.12.25

MicroWorld eScan
Gen:Variant.Mikey.28783
16.0.0.1011

Panda Antivirus
Trj/Genetic.gen
15.12.03.06

Qihoo 360 Security
HEUR/QVM08.0.Malware.Gen
1.0.0.1077

File size:
9.5 KB (9,728 bytes)

Common path:
C:\users\{user}\appdata\local\temp\nso34ca.tmp

File PE Metadata
Compilation timestamp:
12/3/2015 6:35:31 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
96:f3EVh8bot9jrsI1DFOwJEUPXGUYaqec/PCDBTSOLCTNYTbsONAJy:fUQW9jw2OwTPXGU5cHCDZSruk6AJ

Entry address:
0x1000

Entry point:
6A, 70, 68, 38, 23, 40, 00, E8, F8, 01, 00, 00, 33, DB, 89, 5D, FC, 8D, 45, 80, 50, FF, 15, 00, 20, 40, 00, 83, CF, FF, 89, 7D, FC, 66, 81, 3D, 00, 00, 40, 00, 4D, 5A, 75, 28, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, 17, 0F, B7, 88, 18, 00, 40, 00, 81, F9, 0B, 01, 00, 00, 74, 20, 81, F9, 0B, 02, 00, 00, 74, 05, 89, 5D, E4, EB, 2A, 83, B8, 84, 00, 40, 00, 0E, 76, F2, 33, C9, 39, 98, F8, 00, 40, 00, EB, 11, 83, B8, 74, 00, 40, 00, 0E, 76, DF, 33, C9, 39, 98, E8, 00, 40, 00, 0F, 95, C1...
 
[+]

Entropy:
5.0792

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
2.5 KB (2,560 bytes)

The file nso34ca.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-230-52-74.jfk6.r.cloudfront.net  (54.230.52.74:443)

TCP (HTTP SSL):
Connects to server-54-230-52-186.jfk6.r.cloudfront.net  (54.230.52.186:443)

TCP (HTTP SSL):
Connects to server-54-230-39-33.jfk1.r.cloudfront.net  (54.230.39.33:443)

TCP (HTTP SSL):
Connects to server-54-230-39-234.jfk1.r.cloudfront.net  (54.230.39.234:443)

TCP (HTTP SSL):
Connects to server-54-230-38-186.jfk1.r.cloudfront.net  (54.230.38.186:443)

TCP (HTTP SSL):
Connects to server-54-230-38-177.jfk1.r.cloudfront.net  (54.230.38.177:443)

TCP (HTTP SSL):
Connects to server-54-230-36-204.jfk1.r.cloudfront.net  (54.230.36.204:443)

TCP (HTTP SSL):
Connects to server-54-192-55-186.jfk6.r.cloudfront.net  (54.192.55.186:443)

TCP (HTTP SSL):
Connects to server-54-192-55-166.jfk6.r.cloudfront.net  (54.192.55.166:443)

TCP (HTTP SSL):
Connects to server-54-192-55-132.jfk6.r.cloudfront.net  (54.192.55.132:443)

TCP (HTTP SSL):
Connects to server-54-192-36-126.jfk1.r.cloudfront.net  (54.192.36.126:443)

Remove nso34ca.tmp - Powered by Reason Core Security