home

awh2a5a.tmp

Setup

LLC

The file awh2a5a.tmp by LLC has been detected as adware by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from setup-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
Setup

Version:
1.2

MD5:
687d603d3831388582f8fbc188e5b44e

SHA-1:
c18e3fa43c49157f1d27b4dadc06d66b43eba46b

SHA-256:
8189c9edd4959744f883738086c3a5072331583327863c7833b0ace8c3a105da

Scanner detections:
9 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/5/2024 4:42:26 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/BitCoinMiner.4626720.2
8.3.1.6

avast!
Multi:BitCoinMiner-B [PUP]
2014.9-150830

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.15830

Dr.Web
Trojan.BtcMine.709
9.0.1.0242

ESET NOD32
Win64/BitCoinMiner.AT potentially unsafe (variant)
9.12141

Fortinet FortiGate
Riskware/BitCoinMiner
8/30/2015

IKARUS anti.virus
Trojan.BitCoinMiner
t3scan.1.9.5.0

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.8.30.18

File size:
4 MB (4,170,032 bytes)

Product version:
1.2

Copyright:
2015 - Open Source

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\awh2a5a.tmp

Digital Signature
Signed by:
LLC

Authority:
COMODO CA Limited

Valid from:
5/26/2015 4:00:00 AM

Valid to:
5/26/2016 3:59:59 AM

Subject:
CN="LLC ""Soft-Portal""", O="LLC ""Soft-Portal""", STREET="Moskovskyy Kvartal, 12/3", L=Slavutych, S=Kyyivska, PostalCode=07100, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
4376DD1DE225C965B55E10F0EF32F115

File PE Metadata
Compilation timestamp:
10/7/2014 8:40:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:eFxw3d7Cvu7y0VTvJnEtBXPx9J3rlr+FWNfJ8w/a9FdTc7Yz:KodFvlMfZd3Dz0TQs

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 37, 42, 00, E8, C0, 2D, 00, 00, A3, 04, 37, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 2F, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 58, 2A...
 
[+]

Entropy:
7.9985

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file awh2a5a.tmp has been seen being distributed by the following URL.

http://setup-14b7.kxcdn.com/setup.exe

Remove awh2a5a.tmp - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.