nsp3902.tmp

ETHM - Setup

LLC

The file nsp3902.tmp by LLC has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 113.171.224.210 and multiple other hosts.
Publisher:
Open Source  (signed by LLC )

Product:
ETHM - Setup

Version:
0.9.41

MD5:
46451d03d06d51eea911921cf48f0a20

SHA-1:
5072fb3f7173b48928584a8128a2c16523a5ae84

SHA-256:
c9d781283a3a6db35ec5d715080b7ac8ebf63839e87929b4c07bfa1fdcf647f9

Scanner detections:
7 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/5/2024 10:01:17 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Unwanted/Win32.BitCoinMiner
2015.11.26

Clam AntiVirus
Win.Trojan.Agent-954461
0.98/21511

Dr.Web
Trojan.BtcMine.711
9.0.1.0330

Kaspersky
not-a-virus:RiskTool.Win32.BitCoinMiner
14.0.0.1061

Qihoo 360 Security
QVM42.0.Malware.Gen
1.0.0.1077

Quick Heal
(Suspicious) - DNAScan
11.15.14.00

Reason Heuristics
PUP.Amonitize.OpenSource.Installer (M)
15.11.26.18

File size:
990 KB (1,013,736 bytes)

Product version:
0.9.41

Copyright:
2015 - Open Source

Original file name:
-

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\nsp3902.tmp

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
5/6/2015 9:00:00 PM

Valid to:
5/6/2016 8:59:59 PM

Subject:
CN="LLC ""YOPTA SOFT""", O="LLC ""YOPTA SOFT""", STREET="str.Tsytadelna, 7", L=Kiev, S=Kiev, PostalCode=01015, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
1CAFDF1C4C426FC3DD811D48793D99C9

File PE Metadata
Compilation timestamp:
8/4/2015 9:47:32 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:wCuIAbJ2l/3DASDQ1ze9H1OXLPIP8hYJ/29BbkUEZ1heV:6b2/TzU+UPOSYJ/29BbkFdu

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 67, 44, 00, E8, 05, 2E, 00, 00, A3, 04, 67, 44, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, 94, 42, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 27, 44, 00, E8, AF, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, F0, 46, 00, 50, 55, E8, 9D, 2A...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nsp3902.tmp has been seen being distributed by the following 4 URLs.

http://113.171.224.210/.../Cdn.exe

http://113.171.224.244/.../Cdn.exe

http://113.171.224.169/.../Cdn.exe

Remove nsp3902.tmp - Powered by Reason Core Security