home

calcinstall.exe

Retro PC Calculator

Hong Kong Binary Software

The application calcinstall.exe, “Retro PC Calculator Setup ” has been detected as a potentially unwanted program by 21 anti-malware scanners. The program is a setup application that uses the Inno Setup installer, however the file is not signed with an authenticode signature from a trusted source. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from d3emsmln8xfj03.cloudfront.net and multiple other hosts.
Publisher:
Hong Kong Binary Software

Product:
Retro PC Calculator

Description:
Retro PC Calculator Setup

MD5:
3772f001819ab5a4c07caa9e085e4915

SHA-1:
7dfc68d0f8568dcfdcf1f89befe1b084ff92f93e

SHA-256:
33a55b4c77815adb320ea78ef7d0d340889345c98fa84425b55c33cb3521c7d2

Scanner detections:
21 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
1/24/2025 5:18:46 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.BitCoinMiner.BM
1103

Agnitum Outpost
Riskware.BitCoinMiner
7.1.1

Avira AntiVirus
TR/BitCoinMiner.Gen
7.11.127.54

avast!
Win32:Miner-B [PUP]
2014.9-140127

Baidu Antivirus
Trojan.Win64.BitCoinMiner
4.0.3.14127

Bitdefender
Application.BitCoinMiner.BM
1.0.20.135

Comodo Security
UnclassifiedMalware
17674

ESET NOD32
Win64/BitCoinMiner (variant)
8.9338

Fortinet FortiGate
Riskware/Win64_BitCoinMiner
1/27/2014

F-Secure
Application.BitCoinMiner.BM
11.2014-27-01_2

G Data
Application.BitCoinMiner.BM
14.1.24

Kaspersky
not-a-virus:RiskTool.Win64.BitCoinMiner
14.0.0.4401

McAfee
Artemis!3772F001819A
5600.7237

MicroWorld eScan
Application.BitCoinMiner.BM
15.0.0.81

NANO AntiVirus
Riskware.Win64.BitCoinMiner.cqywam
0.28.0.57380

Qihoo 360 Security
Win32/Application.e93
1.0.0.1015

Reason Heuristics
Unnamed.Threat.39
14.3.6.7

Sophos
Bitcoin Miner
4.97

Trend Micro House Call
TROJ_GEN.R0CBB01AN14
7.2.27

Vba32 AntiVirus
Riskware.BitcoinMiner.11207
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
25806

File size:
1.5 MB (1,612,156 bytes)

Product version:
11

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\calcinstall.exe

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:CQimTnRs39n7aAQc6U/YexagNCfw4wwD7lq7njAY6bVzI3xT1UoHHLsItq:C9ae8ecgNCfswDBqDF6bRI3xBUsrsqq

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file calcinstall.exe has been seen being distributed by the following 2 URLs.

http://d3emsmln8xfj03.cloudfront.net/bundles/.../calcinstall.exe

http://d1t653m828c3x8.cloudfront.net/bundles/.../calcinstall.exe

Remove calcinstall.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.