cpuminer.exe

CPU Miner - Setup

LLC

The file cpuminer.exe by LLC has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
CPU Miner - Setup

Version:
1.1

MD5:
bbbb977e0d9e9a17c8a1084c4ca08d4f

SHA-1:
8b59949e4444890077d372cc8fdff33c45280180

SHA-256:
93e5b0991e931030cc7677894fed18783ecf0fb51b10ae4e47a650d6391a823a

Scanner detections:
21 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/5/2024 9:39:00 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Strictor.87902
460

Arcabit
Trojan.Strictor.D1575E
1.0.0.425

avast!
Win64:PUP-gen [PUP]
2014.9-151101

AVG
CoinMiner
2016.0.2938

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.15111

Bitdefender
Gen:Variant.Strictor.87902
1.0.20.1525

Dr.Web
Trojan.BtcMine.725
9.0.1.0305

Emsisoft Anti-Malware
Gen:Variant.Strictor.87902
8.15.11.01.01

ESET NOD32
Win64/BitCoinMiner.AT potentially unsafe (variant)
9.11918

Fortinet FortiGate
Adware/BitCoinMiner
11/1/2015

F-Secure
Gen:Variant.Strictor.87902
11.2015-01-11_1

G Data
Gen:Variant.Strictor.87902
15.11.25

K7 AntiVirus
Unwanted-Program
13.205.16517

Kaspersky
not-a-virus:RiskTool.Win32.BitCoinMiner
14.0.0.1187

McAfee
Artemis!CC5C813B7D96
5600.6594

MicroWorld eScan
Gen:Variant.Strictor.87902
16.0.0.915

NANO AntiVirus
Riskware.Nsis.BitCoinMiner.dqgttf
0.30.24.2487

Panda Antivirus
Trj/CI.A
15.11.01.01

Qihoo 360 Security
Win32/Virus.RiskTool.0d0
1.0.0.1015

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.11.1.13

VIPRE Antivirus
Trojan.Win32.Generic
41872

File size:
4.4 MB (4,604,392 bytes)

Product version:
1.1

Copyright:
2015 - Open Source

Original file name:
cpuminer.exe

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\awhca99.tmp

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
6/29/2015 2:00:00 AM

Valid to:
6/29/2016 1:59:59 AM

Subject:
CN="LLC ""SOFT-INDASTRI GROUP""", O="LLC ""SOFT-INDASTRI GROUP""", STREET="street Pidvysotsky, house 10/10, office 60", L=Kiev, S=Kiev, PostalCode=01103, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00CBF0B4B2E7F3FE05A1CCD9AFD74EB1AB

File PE Metadata
Compilation timestamp:
10/7/2014 6:40:30 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:6ka/dIj4zrvxLdfQVJT6tjzMRnqf7dnDHKjVzG+QbKH0FTOlSDe364bEjdNd:D4XDQ3T6tMRn4dnDHKjlx70qK44xNd

Entry address:
0x3239

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, 98, E4, 42, 00, E8, C0, 2D, 00, 00, A3, E4, E3, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, 20, 88, 42, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, E0, DB, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 40, 43, 00, 50, 55, E8, 58, 2A...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
24 KB (24,576 bytes)

The file cpuminer.exe has been seen being distributed by the following URL.

Remove cpuminer.exe - Powered by Reason Core Security