home

nsi83e8.tmp

Setup

LLC

The file nsi83e8.tmp by LLC has been detected as adware by 18 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from zone2-14b7.kxcdn.com.
Publisher:
Open Source  (signed by LLC )

Product:
Setup

Version:
1.2

MD5:
b60781377bb5a8527d2fb92ccfef3cd8

SHA-1:
b709699e5f1640d736e1348cb803d88c9e526435

SHA-256:
8edc416c811baabbb09f6d1e08ff6973aaea3877d8f13f9f9cc905c8b266d192

Scanner detections:
18 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/24/2024 6:39:17 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
TR/BitCoinMiner.4628256
8.3.2.4

avast!
Multi:BitCoinMiner-B [PUP]
2014.9-151120

AVG
CoinMiner
2016.0.2919

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.151120

Clam AntiVirus
Win.Trojan.Bitcoinminer-100
0.98/21511

Dr.Web
Trojan.BtcMine.711
9.0.1.0324

ESET NOD32
Win64/BitCoinMiner.AP potentially unsafe
9.12595

Fortinet FortiGate
Riskware/BitCoinMiner
11/20/2015

G Data
Archive.Application.Agent.62RD33
15.11.25

IKARUS anti.virus
PUA.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Unwanted-Program
13.212.17910

Kaspersky
not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner
14.0.0.1091

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1077

Quick Heal
RiskTool.BitCoinMin.09327
11.15.14.00

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.11.20.16

Sophos
CpuMiner (PUA)
4.98

VIPRE Antivirus
Trojan.Win32.Generic
45304

File size:
4.1 MB (4,299,672 bytes)

Product version:
1.2

Copyright:
2015 - Open Source

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\nsi83e8.tmp

Digital Signature
Signed by:
LLC

Authority:
COMODO CA Limited

Valid from:
5/28/2015 5:00:00 PM

Valid to:
5/28/2016 4:59:59 PM

Subject:
CN="LLC ""Invest -Proekt""", O="LLC ""Invest -Proekt""", STREET="Geroev Stalingrada str., 156", L=Dnipropetrovsk, S=Dnipropetrovska obl., PostalCode=49000, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
587B444820E01109AE86078C4B64D02A

File PE Metadata
Compilation timestamp:
10/6/2014 9:40:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:iHzhOXQaHzSnDE3pG3BrTMelYGlJP72hEqc01MCsvOQ6ll2:i8Bz1kxfMel7p2hEN010vjCl2

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 37, 42, 00, E8, C0, 2D, 00, 00, A3, 04, 37, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 2F, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 58, 2A...
 
[+]

Entropy:
7.9986

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file nsi83e8.tmp has been seen being distributed by the following URL.

http://zone2-14b7.kxcdn.com/Zone2.exe

Remove nsi83e8.tmp - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.