awhc734.tmp

Setup

LLC

The file awhc734.tmp by LLC has been detected as adware by 16 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from setup-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
Setup

Version:
1.2

MD5:
32264b4e13b26fa69e37b6dbc223ea90

SHA-1:
b4a81a79e48d50be675a681abb5b590859bf5549

SHA-256:
91a27f357f0fe450a05f9ea558fabecc505a37e1239115d58812d5a0d5ed3895

Scanner detections:
16 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
12/26/2024 11:12:53 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Unwanted/Win32.BitCoinMiner
2015.09.17

Avira AntiVirus
TR/BitCoinMiner.4628256
8.3.2.2

avast!
Win32:Amonetize-JS [PUP]
2014.9-150917

AVG
Generic
2016.0.2984

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.15917

Dr.Web
Trojan.Amonetize.2893
9.0.1.0260

ESET NOD32
Win32/BitCoinMiner.BY potentially unsafe (variant)
9.12265

Fortinet FortiGate
Riskware/BitCoinMiner
9/17/2015

IKARUS anti.virus
Trojan.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Unwanted-Program
13.210.17239

Kaspersky
not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner
14.0.0.1413

Panda Antivirus
Trj/CI.A
15.09.17.08

Quick Heal
RiskTool.BitCoinMin.09327
9.15.14.00

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.9.17.8

Sophos
CpuMiner (PUA)
4.98

VIPRE Antivirus
Trojan.Win32.Generic
43816

File size:
4.1 MB (4,269,552 bytes)

Product version:
1.2

Copyright:
2015 - Open Source

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\awhc734.tmp

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
4/1/2015 3:00:00 AM

Valid to:
4/1/2016 2:59:59 AM

Subject:
CN="LLC ""DIIL-SOFT""", O="LLC ""DIIL-SOFT""", STREET="Bud. 1/1 kv. 53, vul.Artyleriiska", L=Odesa, S=Odesa, PostalCode=65000, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
156BBAD6D18CB9FA0E8C2027D2B39A9C

File PE Metadata
Compilation timestamp:
10/7/2014 7:40:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:qP7cysTMwIAu5BLQrmp5EKFYcWk4HtgRGYkAlU2pHZQJHOjQ:gmMLAyH5EMi7Ktk01pHHjQ

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 37, 42, 00, E8, C0, 2D, 00, 00, A3, 04, 37, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 2F, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 58, 2A...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file awhc734.tmp has been seen being distributed by the following URL.

Remove awhc734.tmp - Powered by Reason Core Security