home

installer.exe

Setup

LLC

The application installer.exe by LLC has been detected as adware by 14 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from installer-14b7.kxcdn.com and multiple other hosts.
Publisher:
Open Source  (signed by LLC )

Product:
Setup

Version:
1.2

MD5:
1d7dec236187389ae89e5fa7f4e30ed4

SHA-1:
99d8ef4e635e49da3c95e22b38ebd64faff37fa5

SHA-256:
f788a624eccea1f2b16a00a66c81625b00ab73045db93fb70f1353561bd412cc

Scanner detections:
14 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/24/2024 5:37:22 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
Unwanted/Win32.BitCoinMiner
2015.10.28

Avira AntiVirus
TR/BitCoinMiner.4628256
8.3.2.2

avast!
Multi:BitCoinMiner-B [PUP]
2014.9-151027

AVG
Generic_r
2016.0.2943

Dr.Web
Trojan.BtcMine.730
9.0.1.0300

ESET NOD32
Win32/BitCoinMiner.BY potentially unsafe (variant)
9.12473

IKARUS anti.virus
PUA.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Unwanted-Program
13.212.17669

Kaspersky
not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner
14.0.0.1211

Quick Heal
RiskTool.BitCoinMin.09327
10.15.14.00

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.10.27.21

Sophos
CpuMiner (PUA)
4.98

VIPRE Antivirus
Trojan.Win32.Generic
44850

File size:
4.1 MB (4,300,984 bytes)

Product version:
1.2

Copyright:
2015 - Open Source

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\installer.exe

Digital Signature
Signed by:
LLC

Authority:
COMODO CA Limited

Valid from:
6/29/2015 2:00:00 AM

Valid to:
6/29/2016 1:59:59 AM

Subject:
CN="LLC ""SOFT DATA SISTEM""", O="LLC ""SOFT DATA SISTEM""", STREET="Bud. 71 kv. 167, vul.Marshala Malynovskogo", L=Odesa, S=65074, PostalCode=65074, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
038055A53CEDE11B348157AAC339B85C

File PE Metadata
Compilation timestamp:
10/7/2014 6:40:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:w3X4sodqJvDkvt7GPHuteVT+y+6j3I9U3pT3M:w3X4sodOGw1VT+yJjHa

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 37, 42, 00, E8, C0, 2D, 00, 00, A3, 04, 37, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 2F, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 58, 2A...
 
[+]

Entropy:
7.9985

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file installer.exe has been seen being distributed by the following 2 URLs.

http://installer-14b7.kxcdn.com/Installer.exe

http://cdn-14b7.kxcdn.com/Cdn.exe

Remove installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.