cpuminer.exe

CPU Miner - Setup

LLC

The file cpuminer.exe by LLC has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
CPU Miner - Setup

Version:
1.1

MD5:
d23171458c6b03589e6d233627b4667b

SHA-1:
468b71fda44a630e8a62e9558d15857715cadbea

SHA-256:
d75ce56690ea64aac701ec5472e411cd52cbd3fd3b59997745ece970b8ab72e8

Scanner detections:
21 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/14/2024 6:05:20 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Strictor.87902
573

Avira AntiVirus
TR/BitCoinMiner.2529600
8.3.1.6

Arcabit
Trojan.Strictor.D1575E
1.0.0.425

avast!
Win32:PUP-gen [PUP]
2014.9-150711

AVG
CoinMiner
2016.0.3051

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.15711

Bitdefender
Gen:Variant.Strictor.87902
1.0.20.960

Dr.Web
Trojan.BtcMine.726
9.0.1.0192

Emsisoft Anti-Malware
Gen:Variant.Strictor.87902
8.15.07.11.08

ESET NOD32
Win64/BitCoinMiner.AT potentially unsafe (variant)
9.11925

F-Secure
Gen:Variant.Strictor.87902
11.2015-11-07_7

G Data
Gen:Variant.Strictor.87902
15.7.25

IKARUS anti.virus
Trojan.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Unwanted-Program
13.205.16532

Kaspersky
not-a-virus:RiskTool.Win32.BitCoinMiner
14.0.0.1751

MicroWorld eScan
Gen:Variant.Strictor.87902
16.0.0.576

NANO AntiVirus
Trojan.Win32.Ransom.dtleij
0.30.24.2487

Panda Antivirus
Trj/CI.A
15.07.11.08

Qihoo 360 Security
Win32/Virus.RiskTool.0d0
1.0.0.1015

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.7.11.20

VIPRE Antivirus
Trojan.Win32.Generic
41916

File size:
4.1 MB (4,257,600 bytes)

Product version:
1.1

Copyright:
2015 - Open Source

Original file name:
cpuminer.exe

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\awh6618.tmp

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
6/29/2015 3:00:00 AM

Valid to:
6/29/2016 2:59:59 AM

Subject:
CN="LLC ""SOFT-STANDART""", O="LLC ""SOFT-STANDART""", STREET=Bud. 5 vul.Artema, L=Dnipropetrovsk, S=Dnipropetrovska, PostalCode=49000, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00A554F191FD67BB6012F1ABCA785158D0

File PE Metadata
Compilation timestamp:
10/7/2014 7:40:10 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:h86kgrOaz5l98VEfgUsYWDTnM4p4fPrrXuAPI5YPoMIttw7w:IaP9ZlsYWDTMw4fPryWojow

Entry address:
0x30B6

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 90, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, 1C, 71, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, 98, 37, 42, 00, E8, A8, 2D, 00, 00, A3, E4, 36, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, 98, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, 80, 91, 40, 00, 68, E0, 2E, 42, 00, E8, 52, 2A, 00, 00, FF, 15, 20, 71, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 40, 2A...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file cpuminer.exe has been seen being distributed by the following URL.

Remove cpuminer.exe - Powered by Reason Core Security