home

cpuminer.exe

CPU Miner - Setup

LLC

The file cpuminer.exe by LLC has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
CPU Miner - Setup

Version:
1.1

MD5:
36296947ba3a5c899e8bcb6a2e508d9d

SHA-1:
60bf735f0dac10b6e13c83263e260ad1e26a07db

SHA-256:
e3b673e21cb3ce6697921752cec163470be52400648c66536358eed16e4c53b7

Scanner detections:
8 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/24/2024 11:10:06 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Malware-gen
150525-2

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.15531

ESET NOD32
Win32/BitCoinMiner.BY potentially unsafe application
7.0.302.0

IKARUS anti.virus
Trojan.BitCoinMiner
t3scan.1.9.2.0

NANO AntiVirus
Riskware.Nsis.BitCoinMiner.dqgttf
0.30.24.1636

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Amonitize.Installer
15.5.31.19

Trend Micro House Call
TROJ_GE.99286339
7.2.151

File size:
2.4 MB (2,511,240 bytes)

Product version:
1.1

Copyright:
2015 - Open Source

Original file name:
cpuminer.exe

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\awh12c6.tmp

Digital Signature
Signed by:
LLC

Authority:
COMODO CA Limited

Valid from:
5/26/2015 3:00:00 AM

Valid to:
5/26/2016 2:59:59 AM

Subject:
CN="LLC ""Soft Lending Grup""", O="LLC ""Soft Lending Grup""", STREET="Str. Patrice Lumumba, 4/6", L=Kiev, S=Kiev, PostalCode=01042, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DB38AB5E9FF3E53AA97E4B4D6DCD7366

File PE Metadata
Compilation timestamp:
10/7/2014 7:40:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:kQpGypbsY9xsxy8u539y2oTiT67Ho8pvrY4VaeYe5kyt1nwa+qtb:v7bn9+xyX1joTiAHogx8s//tb

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 37, 42, 00, E8, C0, 2D, 00, 00, A3, 04, 37, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 2F, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 58, 2A...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file cpuminer.exe has been seen being distributed by the following URL.

http://cdn-14b7.kxcdn.com/cdn.exe

Remove cpuminer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.