home

awhd883.tmp

Setup

LLC

The file awhd883.tmp by LLC has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from setup-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
Setup

Version:
1.2

MD5:
a61a4b0603f13b9bd2a8a8776373ee0f

SHA-1:
6005589d69c1adf5dfd4417d37dd552859b184bb

SHA-256:
faaa14c6ab1636d60ebd03b44c755739b57912ea19fe27741b8af71471d27bb0

Scanner detections:
8 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/24/2024 6:28:22 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Amonetize-JS [PUP]
2014.9-150912

AVG
Generic
2016.0.2989

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.15912

ESET NOD32
Win32/BitCoinMiner.BY potentially unsafe (variant)
9.12227

IKARUS anti.virus
Trojan.BitCoinMiner
t3scan.1.9.5.0

Quick Heal
RiskTool.BitCoinMin.09327
9.15.14.00

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.9.12.3

Sophos
Bitcoin Miner (PUA)
4.98

File size:
4.1 MB (4,286,936 bytes)

Product version:
1.2

Copyright:
2015 - Open Source

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\awhd883.tmp

Digital Signature
Signed by:
LLC

Authority:
COMODO CA Limited

Valid from:
3/31/2015 4:00:00 PM

Valid to:
3/31/2016 3:59:59 PM

Subject:
CN="LLC ""DIIL-SOFT""", O="LLC ""DIIL-SOFT""", STREET="Bud. 1/1 kv. 53, vul.Artyleriiska", L=Odesa, S=Odesa, PostalCode=65000, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
156BBAD6D18CB9FA0E8C2027D2B39A9C

File PE Metadata
Compilation timestamp:
10/6/2014 9:40:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:ZUp2dYv7uz7HlaFE6CbYVRdU+iGmydjiDc/yMuWXl9xL6Xg:ZUp2yzuzMzVbUkliDrAFog

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 37, 42, 00, E8, C0, 2D, 00, 00, A3, 04, 37, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 2F, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 58, 2A...
 
[+]

Entropy:
7.9985

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file awhd883.tmp has been seen being distributed by the following URL.

http://setup-14b7.kxcdn.com/setup.exe

Remove awhd883.tmp - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.