home

sgminer.exe

SG Miner

The Group

The application sgminer.exe by The Group has been detected as a potentially unwanted program by 12 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address livingston.shortysmalls.biz on port 3200.
Publisher:
Open Source  (signed by The Group)

Product:
SG Miner

Version:
5.1.1

MD5:
62190df40bd723eddcef72cdc11f16d5

SHA-1:
8576b9424a3d6c25165a561227535cf1eb5cf8a6

SHA-256:
f116ad359e77653935539bb930b428562e4f4a085dcecf18a5d938b096a422f6

Scanner detections:
12 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
12/27/2024 6:48:49 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
TR/BitCoinMiner.2747712
8.3.1.6

avast!
Multi:BitCoinMiner-B [PUP]
2014.9-150628

AVG
Generic_s
2016.0.3065

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.15628

Dr.Web
Tool.BtcMine.582
9.0.1.0179

ESET NOD32
Win32/BitCoinMiner.BY potentially unsafe (variant)
9.11854

IKARUS anti.virus
Trojan.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Unwanted-Program
13.205.16384

Qihoo 360 Security
Win32/Trojan.f27
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
15.6.28.3

VIPRE Antivirus
Trojan.Win32.Generic
41512

File size:
2.6 MB (2,747,672 bytes)

Product version:
5.1.1

Copyright:
Copyright (C) 2015

Original file name:
sgminer.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\cpuminer\sgminer\sgminer.exe

Digital Signature
Signed by:
The Group

Authority:
COMODO CA Limited

Valid from:
5/31/2015 1:00:00 AM

Valid to:
5/31/2016 12:59:59 AM

Subject:
CN=The Group, O=The Group, STREET="vul. Gagarina, 5", L=Khmelnytskyy, S=Khmelnytska obl, PostalCode=29000, C=UA

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
47800CE335CF5196AC9AFB9061AA72E4

File PE Metadata
Compilation timestamp:
6/23/2015 9:48:46 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
12.0

CTPH (ssdeep):
49152:LIt9jEVW3p+/Kkf5pITCrG6XTbDRPuKh8NVW:LItyQZ3qwKN1

Entry address:
0x1C011B

Entry point:
E8, 7E, 06, 00, 00, E9, 4B, FE, FF, FF, 3B, 0D, 30, 40, 63, 00, 75, 02, F3, C3, E9, 5B, 00, 00, 00, FF, 25, 9C, 22, 5C, 00, FF, 25, A0, 22, 5C, 00, FF, 25, A4, 22, 5C, 00, FF, 25, A8, 22, 5C, 00, FF, 25, AC, 22, 5C, 00, 55, 8B, EC, FF, 15, 94, 20, 5C, 00, 6A, 01, A3, C4, 3E, 68, 00, E8, F5, 08, 00, 00, FF, 75, 08, E8, F3, 08, 00, 00, 83, 3D, C4, 3E, 68, 00, 00, 59, 59, 75, 08, 6A, 01, E8, DB, 08, 00, 00, 59, 68, 09, 04, 00, C0, E8, DC, 08, 00, 00, 59, 5D, C3, 55, 8B, EC, 81, EC, 24, 03, 00, 00, 6A, 17, E8...
 
[+]

Entropy:
6.9405

Code size:
1.8 MB (1,836,032 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP:
Connects to livingston.shortysmalls.biz  (66.117.6.3:3200)

Remove sgminer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.