photo.scr

The file photo.scr has been detected as a potentially unwanted program by 6 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Run’. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address 2.sub-97-202-10.myvzw.com on port 21.
MD5:
aba2d86ed17f587eb6d57e6c75f64f05

SHA-1:
aeccba64f4dd19033ac2226b4445faac05c88b76

SHA-256:
807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
12/28/2024 1:43:07 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
hacktool program Tool.BtcMine.431
9.0.1.05190

ESET NOD32
Win32/BitCoinMiner.BX potentially unsafe application
7.0.302.0

F-Prot
W32/Adware.ALRW
4.6.5.141

Kaspersky
not-a-virus:RiskTool.Win32.BitCoinMiner
15.0.0.562

McAfee
Program.NightMiner-FXM
18.0.204.0

Sophos
Virus 'Mal/Miner-C'
5.23

File size:
1.5 MB (1,578,496 bytes)

Common path:
C:\users\{user}\appdata\local\temp\photo.scr

File PE Metadata
Compilation timestamp:
2/7/2016 2:24:54 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.23

CTPH (ssdeep):
24576:pWKqa4hnzP3w7L3rmZmpk7FSQFW2iJ+N07/TwYV1CdZdQ+4lT+iFgiGTtswAtdz:pSrwf3aZmpOFU2iQNIUc1LxGTtswgd

Entry address:
0x12A0

Entry point:
83, EC, 1C, C7, 04, 24, 02, 00, 00, 00, FF, 15, 98, F3, 41, 00, E8, 4B, FD, FF, FF, 8D, 74, 26, 00, 8D, BC, 27, 00, 00, 00, 00, A1, C8, F3, 41, 00, FF, E0, 89, F6, 8D, BC, 27, 00, 00, 00, 00, A1, B8, F3, 41, 00, FF, E0, 90, 90, 90, 90, 90, 90, 90, 90, 90, A1, 60, 54, 41, 00, 85, C0, 74, 41, 55, 89, E5, 83, EC, 18, C7, 04, 24, 00, 60, 41, 00, E8, 65, 13, 00, 00, BA, 00, 00, 00, 00, 83, EC, 04, 85, C0, 74, 15, C7, 44, 24, 04, 0E, 60, 41, 00, 89, 04, 24, E8, 51, 13, 00, 00, 83, EC, 08, 89, C2, 85, D2, 74, 09...
 
[+]

Code size:
78 KB (79,872 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Run

Command:
C:\users\{user}\appdata\local\temp\photo.scr


The executing file has been seen to make the following network communications in live environments.

TCP (FTP):
Connects to www.retio.or.jp  (202.24.119.1:21)

TCP (FTP):
Connects to softbank218116024002.bbtec.net  (218.116.24.2:21)

TCP (FTP):
Connects to saturn.cam.nist.gov  (129.6.82.2:21)

TCP (FTP):
Connects to nsg-static-1.173.75.182-airtel.com  (182.75.173.1:21)

TCP (FTP):
Connects to ip-45-40-139-6.ip.secureserver.net  (45.40.139.6:21)

TCP (FTP):
Connects to host-217-131-0-2.reverse.superonline.net  (217.131.0.2:21)

TCP (FTP):
Connects to 120-124-7-8.IP.vnu.edu.tw  (120.124.7.8:21)

TCP (FTP):
Connects to not-assigned-ipb9440502.ep-puehringer.at  (185.68.5.2:21)

TCP (FTP):
Connects to n003-000-000-000.static.ge.com  (3.89.175.2:21)

TCP (FTP):
Connects to KD027083159002.ppp-bb.dion.ne.jp  (27.83.159.2:21)

TCP (FTP):
Connects to abts-tn-static-002.33.165.122.airtelbroadband.in  (122.165.33.2:21)

TCP (FTP):

TCP (FTP):

TCP (FTP):
Connects to vs3-84-91-65-21.netvisao.pt  (84.91.65.21:21)

TCP (FTP):
Connects to softbank126064232021.bbtec.net  (126.64.232.21:21)

TCP (FTP):

TCP (FTP):
Connects to c83-252-218-21.bredband.comhem.se  (83.252.218.21:21)

TCP (FTP):
Connects to 93-137-94-21.adsl.net.t-com.hr  (93.137.94.21:21)

TCP (FTP):
Connects to 74-93-159-21-Cordova.hfc.comcastbusiness.net  (74.93.159.21:21)

TCP (FTP):
Connects to 66-50-59-21.prtc.net  (66.50.59.21:21)

Remove photo.scr - Powered by Reason Core Security