awhc4d6.tmp

Setup

LLC

The file awhc4d6.tmp by LLC has been detected as adware by 14 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from setup-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
Setup

Version:
1.2

MD5:
da6f91512b47e4db1eb6e89e665dd086

SHA-1:
1c5be8ea0487544bb6ed6efa1d2612aafba22c46

SHA-256:
e2b0b59fb70ad6f6699fa090ee3d2aa2c565531e6e2e06c8e0f59ead2c872a1c

Scanner detections:
14 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
12/26/2024 11:22:32 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/BitCoinMiner.4628256
8.3.2.2

avast!
Multi:BitCoinMiner-B [PUP]
2014.9-150922

AVG
Generic
2016.0.2978

Dr.Web
Trojan.BtcMine.739
9.0.1.0265

ESET NOD32
Win32/BitCoinMiner.BY potentially unsafe (variant)
9.12289

Fortinet FortiGate
Riskware/BitCoinMiner
9/22/2015

IKARUS anti.virus
PUA.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Unwanted-Program
13.210.17284

Kaspersky
not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner
14.0.0.1386

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1015

Quick Heal
RiskTool.BitCoinMin.09327
9.15.14.00

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.9.22.18

Sophos
CpuMiner (PUA)
4.98

VIPRE Antivirus
Trojan.Win32.Generic
43952

File size:
4.1 MB (4,286,312 bytes)

Product version:
1.2

Copyright:
2015 - Open Source

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\awhc4d6.tmp

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
6/27/2015 3:00:00 AM

Valid to:
6/27/2016 2:59:59 AM

Subject:
CN="LLC ""SOFT-GLOBAL""", O="LLC ""SOFT-GLOBAL""", STREET="str. Zhelyabova, 8/4", L=Kiev, S=Kiev, PostalCode=03680, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00B36870BF55993A07D317A20F776B7615

File PE Metadata
Compilation timestamp:
10/7/2014 6:40:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:9B7TLhILDbkQjFS2/LBwRvZqwnrK6BnV0/9MmvFn+ez2Yfb:L7YVxXFwRxlzBWFvF+ezhT

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 37, 42, 00, E8, C0, 2D, 00, 00, A3, 04, 37, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 2F, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 58, 2A...
 
[+]

Entropy:
7.9986

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file awhc4d6.tmp has been seen being distributed by the following URL.

Remove awhc4d6.tmp - Powered by Reason Core Security