gapminer.exe

The executable gapminer.exe has been detected as malware by 6 anti-virus scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address lb-182-231.above.com on port 4200.
MD5:
22b1b44e79a5a1303d23b2a951dbb324

SHA-1:
ae357f38ea35c892bd3ce7598aecb9517916136e

SHA-256:
443f246103d85c6ab110076db8d79100648596b8a200987be681b88e6f3afb5b

Scanner detections:
6 / 68

Status:
Malware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/4/2024 5:06:07 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win64:Rootkit-gen [Rtk]
2014.9-150119

Baidu Antivirus
Hacktool.Win64.BitCoinMiner
4.0.3.15119

ESET NOD32
Win64/BitCoinMiner.AM
9.11031

McAfee
Artemis!22B1B44E79A5
5600.6881

Norman
Suspicious_Gen4.HMQGR
11.20150119

Trend Micro House Call
Suspicious_GEN.F47V1210
7.2.19

File size:
2.9 MB (3,003,628 bytes)

File type:
Executable application (Win64 EXE)

File PE Metadata
OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
2.24

CTPH (ssdeep):
49152:gFP3/cLimc6ftXgkT2EVbN+hhCKTP721TwE6Q5ccu3mN:YYiwFhNY7u6Q5ccu3mN

Entry address:
0x14D0

Entry point:
48, 83, EC, 28, C7, 05, 62, DE, 18, 00, 00, 00, 00, 00, E8, 2D, E0, 0A, 00, E8, 98, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 48, 8D, 0D, 39, BB, 18, 00, E9, 24, 24, 11, 00, 0F, 1F, 40, 00, 31, C0, 48, C7, 41, 60, 00, 00, 00, 00, 48, C7, 41, 68, 00, 00, 00, 00, 48, C7, 41, 70, 00, 00, 00, 00, 48, C7, 41, 04, 00, 00, 00, 00, 48, C7, 41, 0C, 00, 00, 00, 00, 48, C7, 41, 14, 00, 00, 00, 00, 48, C7, 41, 1C, 00, 00, 00, 00, 48, C7, 41, 24, 00, 00, 00, 00, 48, C7, 41, 2C, 00, 00, 00, 00, 48, C7, 41, 34, 00, 00...
 
[+]

Entropy:
5.8920

Code size:
1.1 MB (1,171,456 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to lb-182-231.above.com  (103.224.182.231:4200)

Remove gapminer.exe - Powered by Reason Core Security