nss86ec.tmp

The file nss86ec.tmp has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from livestatscounter.com. While running, it connects to the Internet address dl19.clickmein.com on port 80 using the HTTP protocol.
Version:
1.0.0.1

MD5:
8501f079ef3fc63721d0164b8a34b4a9

SHA-1:
574bdc64c4c790a31e010aabb2d6789e690b8e7d

SHA-256:
cfae0bbec9dc0e02bd6f2a5fa5c52241d53a58c369784f78aa9d3a96485658e3

Scanner detections:
6 / 68

Status:
Potentially unwanted

Analysis date:
12/15/2017 3:07:04 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.Downloader
2015.07.23

Baidu Antivirus
Adware.Win32.ConvertAd
4.0.3.15723

ESET NOD32
Win32/Adware.ConvertAd.RL
9.11984

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.1692

NANO AntiVirus
Riskware.Nsis.ConvertAd.dtccvd
0.30.24.2668

Rising Antivirus
PE:Trojan.Win32.Generic.18E48A62!417630818
23.00.65.15721

File size:
197.9 KB (202,653 bytes)

Product version:
1.0.0.1

Copyright:
Copyright 2013

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\nss86ec.tmp

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:csjOVYcY+4UTzTRZzLVUjdMsVgPTGaLleoG:nOVYcaU3tZz+jdMqSGPoG

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file nss86ec.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-50-19-251-15.compute-1.amazonaws.com  (50.19.251.15:80)

TCP (HTTP):
Connects to ec2-54-243-79-135.compute-1.amazonaws.com  (54.243.79.135:80)

TCP (HTTP):
Connects to dl21.clickmein.com  (216.227.128.186:80)

TCP (HTTP):
Connects to ec2-54-235-96-50.compute-1.amazonaws.com  (54.235.96.50:80)

TCP (HTTP):
Connects to ec2-184-73-245-76.compute-1.amazonaws.com  (184.73.245.76:80)

TCP (HTTP):
Connects to dl19.clickmein.com  (50.7.184.162:80)

TCP (HTTP):
Connects to ec2-107-21-122-166.compute-1.amazonaws.com  (107.21.122.166:80)

TCP (HTTP):
Connects to ec2-54-235-132-107.compute-1.amazonaws.com  (54.235.132.107:80)

TCP (HTTP):
Connects to server-54-239-164-73.lhr50.r.cloudfront.net  (54.239.164.73:80)

TCP (HTTP):
Connects to server-54-230-58-41.gru1.r.cloudfront.net  (54.230.58.41:80)

TCP (HTTP):
Connects to server-54-230-52-221.jfk6.r.cloudfront.net  (54.230.52.221:80)

TCP (HTTP):
Connects to server-54-230-39-70.jfk1.r.cloudfront.net  (54.230.39.70:80)

TCP (HTTP):
Connects to server-54-230-39-157.jfk1.r.cloudfront.net  (54.230.39.157:80)

TCP (HTTP):
Connects to server-54-230-39-152.jfk1.r.cloudfront.net  (54.230.39.152:80)

TCP (HTTP SSL):
Connects to server-54-230-39-134.jfk1.r.cloudfront.net  (54.230.39.134:443)

TCP (HTTP):
Connects to server-54-230-39-13.jfk1.r.cloudfront.net  (54.230.39.13:80)

TCP (HTTP):
Connects to server-54-230-38-79.jfk1.r.cloudfront.net  (54.230.38.79:80)

TCP (HTTP):
Connects to server-54-230-38-68.jfk1.r.cloudfront.net  (54.230.38.68:80)

TCP (HTTP):
Connects to server-54-230-38-122.jfk1.r.cloudfront.net  (54.230.38.122:80)

TCP (HTTP):
Connects to server-54-230-38-110.jfk1.r.cloudfront.net  (54.230.38.110:80)

Remove nss86ec.tmp - Powered by Reason Core Security