explorer_1.exe

The executable explorer_1.exe has been detected as malware by 5 anti-virus scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address ypool.net on port 10034.
MD5:
70491264f0245e46f0ea68d1eb714e23

SHA-1:
05a5d761b2a96e9e61dc1f6c6ffb8e6cdc2bf56e

SHA-256:
e9b6205e39f97ac42eb4183e30f802c0e06b225ecfb63f1125cd1c6ab61e7542

Scanner detections:
5 / 68

Status:
Malware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/23/2024 12:27:12 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win64.BitCoinMiner
2014.01.10

Baidu Antivirus
Trojan.Win64.BitCoinMiner
4.0.3.14110

ESET NOD32
Win64/BitCoinMiner (variant)
8.9273

McAfee
Artemis!70491264F024
5600.7255

Trend Micro House Call
TROJ_GEN.F47V0109
7.2.10

File size:
397 KB (406,528 bytes)

File type:
Executable application (Win64 EXE)

Common path:
C:\windows\explorer_1.exe

File PE Metadata
Compilation timestamp:
1/10/2014 12:44:40 AM

OS version:
6.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
11.0

CTPH (ssdeep):
6144:2UWVbjBdx9FmjzzhfY3vHbLCRSTBQSQSo+Kw00Ob1sVRdJJcWYkocbb:iVbjBdvFmjzdfY/lQAo3w003fJc

Entry address:
0x17ED0

Entry point:
48, 83, EC, 28, E8, 03, 94, 00, 00, 48, 83, C4, 28, E9, 42, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 66, 66, 0F, 1F, 84, 00, 00, 00, 00, 00, 48, 83, EC, 10, 4C, 89, 14, 24, 4C, 89, 5C, 24, 08, 4D, 33, DB, 4C, 8D, 54, 24, 18, 4C, 2B, D0, 4D, 0F, 42, D3, 65, 4C, 8B, 1C, 25, 10, 00, 00, 00, 4D, 3B, D3, 73, 16, 66, 41, 81, E2, 00, F0, 4D, 8D, 9B, 00, F0, FF, FF, 41, C6, 03, 00, 4D, 3B, D3, 75, F0, 4C, 8B, 14, 24, 4C, 8B, 5C, 24, 08, 48, 83, C4, 10, C3, CC, CC...
 
[+]

Entropy:
6.0235

Code size:
196.5 KB (201,216 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to ypool.net  (213.208.129.126:10034)

Remove explorer_1.exe - Powered by Reason Core Security