cdn.exe

CPU Miner - Setup

LLC

The application cdn.exe by LLC has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from cdn-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
CPU Miner - Setup

Version:
1.1

MD5:
1015468a96c88512260994fc8649d052

SHA-1:
38972e9964f6e5198a25bfb7dea5a1c0c41c79fe

SHA-256:
e33430c517a7486aa01489467e6cf4a1fb6192998911d01738601573e9393026

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/27/2024 5:53:22 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
16.2.10.3

File size:
2.8 MB (2,958,456 bytes)

Product version:
1.1

Copyright:
2015 - Open Source

Original file name:
cpuminer.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\cdn.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
5/26/2015 2:00:00 AM

Valid to:
5/26/2016 1:59:59 AM

Subject:
CN="LLC ""Soft Lending Grup""", O="LLC ""Soft Lending Grup""", STREET="Str. Patrice Lumumba, 4/6", L=Kiev, S=Kiev, PostalCode=01042, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DB38AB5E9FF3E53AA97E4B4D6DCD7366

File PE Metadata
Compilation timestamp:
10/7/2014 6:40:30 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:b6ylfgzbIhDcGgqR2dpzbm0T6e8vZOUf1rBoZAJ8JK8/KoJAIOLpb6USg7x:rnDUpzzT6jFdBJJ8JT/ZC6USg1

Entry address:
0x3239

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, 98, E4, 42, 00, E8, C0, 2D, 00, 00, A3, E4, E3, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, 20, 88, 42, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, E0, DB, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 40, 43, 00, 50, 55, E8, 58, 2A...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
24 KB (24,576 bytes)

The file cdn.exe has been seen being distributed by the following URL.

Remove cdn.exe - Powered by Reason Core Security