home

nsi21d7.tmp

Setup

LLC

The file nsi21d7.tmp by LLC has been detected as adware by 15 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 113.171.224.210 and multiple other hosts.
Publisher:
Open Source  (signed by LLC )

Product:
Setup

Version:
1.2

MD5:
6e396788b5e9c0971ddb3bcdff494280

SHA-1:
fc59aeedcff964613742154e93add56d6cf20da7

SHA-256:
4d90fc796ed58b211c318c95d903e018becc1c9e338d9bc8b21a14d7f1c0d8a6

Scanner detections:
15 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/28/2024 3:29:43 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
Unwanted/Win32.BitCoinMiner
2015.11.26

Avira AntiVirus
TR/BitCoinMiner.4628256
8.3.2.4

avast!
Multi:BitCoinMiner-B [PUP]
2014.9-151127

AVG
Generic_r
2016.0.2913

Clam AntiVirus
Win.Trojan.Agent-954461
0.98/21511

Dr.Web
Trojan.BtcMine.711
9.0.1.0331

ESET NOD32
Win64/BitCoinMiner.AP potentially unsafe
9.12626

IKARUS anti.virus
not-a-virus:RiskTool.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Unwanted-Program
13.212.17974

Kaspersky
not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner
14.0.0.1059

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1077

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.11.27.2

Sophos
CpuMiner (PUA)
4.98

VIPRE Antivirus
Trojan.Win32.Generic
45438

File size:
4.1 MB (4,300,488 bytes)

Product version:
1.2

Copyright:
2015 - Open Source

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\nsi21d7.tmp

Digital Signature
Signed by:
LLC

Authority:
COMODO CA Limited

Valid from:
5/6/2015 9:00:00 PM

Valid to:
5/6/2016 8:59:59 PM

Subject:
CN="LLC ""YOPTA SOFT""", O="LLC ""YOPTA SOFT""", STREET="str.Tsytadelna, 7", L=Kiev, S=Kiev, PostalCode=01015, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
1CAFDF1C4C426FC3DD811D48793D99C9

File PE Metadata
Compilation timestamp:
8/4/2015 9:47:32 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:/JNyCAGLDsOO7TJ6gnayoNC3LGo3QDL5IU5tFG:/3XAyonAbmGo3GNlrFG

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 67, 44, 00, E8, 05, 2E, 00, 00, A3, 04, 67, 44, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, 94, 42, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 27, 44, 00, E8, AF, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, F0, 46, 00, 50, 55, E8, 9D, 2A...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nsi21d7.tmp has been seen being distributed by the following 3 URLs.

http://113.171.224.210/.../Cdn.exe

http://113.171.224.169/.../Cdn.exe

http://cdn-14b7.kxcdn.com/Cdn.exe

Remove nsi21d7.tmp - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.