806779989c6ea355a1abf4f6c7cb646c.exe

The application 806779989c6ea355a1abf4f6c7cb646c.exe has been detected as a potentially unwanted program by 27 anti-malware scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from isminer.club and multiple other hosts. While running, it connects to the Internet address static.78.147.9.176.clients.your-server.de on port 45590.
MD5:
806779989c6ea355a1abf4f6c7cb646c

SHA-1:
36d7f7a57e2a8ec953940d15099cae2fc565c16e

SHA-256:
126395638de030e60d4a3a5cf7a8f8b664aac9ca37dc9a766182f8dfd5228fe4

Scanner detections:
27 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
12/28/2024 1:30:35 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.11649192
911

Agnitum Outpost
Riskware.BitCoinMiner
7.1.1

Avira AntiVirus
SPR/BitCoin.531456
7.11.173.208

avast!
Win64:Rootkit-gen [Rtk]
2014.9-140807

AVG
BitCoinMiner.D
2015.0.3335

Baidu Antivirus
Hacktool.Win64.BitCoinMiner
4.0.3.1487

Bitdefender
Trojan.Generic.11649192
1.0.20.1095

Dr.Web
Tool.BtcMine.420
9.0.1.0274

Emsisoft Anti-Malware
Trojan.Generic.11649192
8.14.08.07.01

ESET NOD32
Win64/BitCoinMiner (variant)
8.10448

Fortinet FortiGate
Riskware/BitCoinMiner
8/7/2014

F-Secure
Trojan.Generic.11649192
11.2014-07-08_5

G Data
Trojan.Generic.11649192
14.8.24

IKARUS anti.virus
not-a-virus:RiskTool.BitCoinMiner
t3scan.1.7.8.0

K7 AntiVirus
Trojan
13.183.13451

Kaspersky
not-a-virus:RiskTool.Win64.BitCoinMiner
14.0.0.3442

Malwarebytes
Riskware.BitcoinMiner
v2014.08.07.01

McAfee
RDN/Generic PUP.x!cmq
5600.7045

MicroWorld eScan
Trojan.Generic.11649192
15.0.0.657

NANO AntiVirus
Riskware.Win64.BtcMine.debnne
0.28.2.62286

nProtect
Trojan.Generic.11649192
14.09.22.01

Panda Antivirus
Trj/Chgt.D
14.08.07.01

Qihoo 360 Security
Win32/Virus.RiskTool.f33
1.0.0.1015

Quick Heal
RiskTool.Win64.ra (Not a Virus)
10.14.14.00

Trend Micro House Call
TROJ_GEN.R047C0OHO14
7.2.219

Trend Micro
TROJ_GEN.R047C0OHO14
10.465.01

VIPRE Antivirus
Trojan.Win32.Generic
33338

File size:
502.5 KB (514,560 bytes)

File type:
Executable application (Win64 EXE)

Common path:
C:\users\{user}\downloads\806779989c6ea355a1abf4f6c7cb646c.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
2.24

CTPH (ssdeep):
12288:BVOEGAlH4s/FFRf725x8zHWt2/BSvHLWq1blj/UY0nTRCgu:BVfHX/FFRzJjc2/4vrWq1RAYyTI

Entry address:
0x1500

Entry point:
48, 83, EC, 28, 48, 8B, 05, 15, 3A, 07, 00, C7, 00, 00, 00, 00, 00, E8, 6A, 95, 05, 00, E8, 95, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 48, 83, EC, 38, 4C, 89, 4C, 24, 58, 4C, 8D, 4C, 24, 58, 4C, 89, 4C, 24, 28, E8, D8, 9E, 05, 00, 48, 83, C4, 38, C3, 0F, 1F, 00, 56, 53, 48, 83, EC, 28, 48, 85, C9, 74, 75, 83, 39, 01, 48, 89, CB, 74, 3D, 66, 66, 66, 66, 2E, 0F, 1F, 84, 00, 00, 00, 00, 00, 48, 89, D9, 48, C7, 03, 00, 00, 00, 00, 48, C7, 43, 08, 00, 00...
 
[+]

Code size:
388 KB (397,312 bytes)

The file 806779989c6ea355a1abf4f6c7cb646c.exe has been seen being distributed by the following 3 URLs.

http://isminer.club/.../msminer64.exe

http://itisminer.com/.../msminer64.exe

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to ns3064121.ip-94-23-8.eu  (94.23.8.105:4444)

TCP:
Connects to ns3003977.ip-188-165-214.eu  (188.165.214.76:4444)

TCP:
Connects to ns3001361.ip-37-59-49.eu  (37.59.49.7:4444)

TCP:
Connects to ip106.ip-79-137-57.eu  (79.137.57.106:8005)

TCP:
Connects to static.78.147.9.176.clients.your-server.de  (176.9.147.78:45590)

TCP:
Connects to static.243.47.9.176.clients.your-server.de  (176.9.47.243:45560)

TCP:
Connects to 195-154-181-121.rev.poneytelecom.eu  (195.154.181.121:45590)

TCP (HTTP):
Connects to mail.southdownaccountancy.net  (31.148.219.90:8080)

TCP:
Connects to ip217.ip-178-32-196.eu  (178.32.196.217:8005)

Remove 806779989c6ea355a1abf4f6c7cb646c.exe - Powered by Reason Core Security