1339.exe

Setup

LLC

The application 1339.exe by LLC has been detected as adware by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from zone4.izabelcoin.com and multiple other hosts.
Publisher:
Open Source  (signed by LLC )

Product:
Setup

Version:
1.2

MD5:
e1ff769ddb82f408445db64d8caa0149

SHA-1:
1e974186bc46f8dd5b957f3555f63dabcf5b2525

SHA-256:
f27c42f6eb08aaa568013dd95b968149ca7a5c24a677384b36efd184230f90c6

Scanner detections:
3 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
12/26/2024 11:25:09 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.BtcMine.893
9.0.1.05190

ESET NOD32
Win32/BitCoinMiner.BY potentially unsafe application
7.0.302.0

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
16.2.4.18

File size:
4.4 MB (4,655,992 bytes)

Product version:
1.2

Copyright:
2015 - Open Source

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\1339.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
6/28/2015 3:00:00 AM

Valid to:
6/28/2016 2:59:59 AM

Subject:
CN="LLC ""SOFT ERA""", O="LLC ""SOFT ERA""", STREET="str. Parkhomenka, 11", L=Brovary, S=Kievska, PostalCode=07400, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
68E455B0112EE583E54746EAF224F225

File PE Metadata
Compilation timestamp:
8/5/2015 3:47:32 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:bYiAMvSFkjd6AoKn6fRQVoTgnNEeDDjwhvy70LySwj3bdb11R1t:u+jXoGucCeDPAvy70Lyrj3bdb11t

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 67, 44, 00, E8, 05, 2E, 00, 00, A3, 04, 67, 44, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, 94, 42, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 27, 44, 00, E8, AF, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, F0, 46, 00, 50, 55, E8, 9D, 2A...
 
[+]

Entropy:
7.9987

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file 1339.exe has been seen being distributed by the following 2 URLs.

Remove 1339.exe - Powered by Reason Core Security