cdn.exe

ETHM - Setup

LLC

The application cdn.exe by LLC has been detected as adware by 10 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from 113.171.224.210 and multiple other hosts.
Publisher:
Open Source  (signed by LLC )

Product:
ETHM - Setup

Version:
0.9.41

MD5:
8ab1215f5d7e6f9c3a404d6d20a695c1

SHA-1:
15025a93a542881814883201f61becc4034160c9

SHA-256:
464741d8252eeb3f778ee36da027667cf12bbdb1a4ac4498c2ad68bd357f2127

Scanner detections:
10 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
12/27/2024 6:42:17 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Unwanted/Win32.BitCoinMiner
2015.11.21

Clam AntiVirus
Win.Trojan.Generickd-3949
0.98/21511

Dr.Web
Trojan.BtcMine.730
9.0.1.0325

Kaspersky
not-a-virus:RiskTool.Win32.BitCoinMiner
14.0.0.1088

McAfee
Artemis!CC192C10399A
5600.6575

Panda Antivirus
Generic Suspicious
15.11.21.09

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1077

Quick Heal
(Suspicious) - DNAScan
11.15.14.00

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.11.21.9

SUPERAntiSpyware
Hack.Tool/Gen-BitCoinMiner
9494

File size:
989.3 KB (1,013,048 bytes)

Product version:
0.9.41

Copyright:
2015 - Open Source

Original file name:
-

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\content.ie5\7b9f8ip4\cdn.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
6/29/2015 3:00:00 AM

Valid to:
6/29/2016 2:59:59 AM

Subject:
CN="LLC ""SOFT DATA SISTEM""", O="LLC ""SOFT DATA SISTEM""", STREET="Bud. 71 kv. 167, vul.Marshala Malynovskogo", L=Odesa, S=65074, PostalCode=65074, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
038055A53CEDE11B348157AAC339B85C

File PE Metadata
Compilation timestamp:
10/7/2014 7:40:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:2OTyTOq6KSXZ6y8/1lQlKfGWuhxtgaNBfbhj6duc+1:Ny6FxJ6y8/1lQlfWyLN9Nj6dr+1

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 37, 42, 00, E8, C0, 2D, 00, 00, A3, 04, 37, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 2F, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 58, 2A...
 
[+]

Entropy:
7.9825

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file cdn.exe has been seen being distributed by the following 2 URLs.

http://113.171.224.210/.../Cdn.exe

Remove cdn.exe - Powered by Reason Core Security