home

windowsdefender.exe

The application windowsdefender.exe has been detected as a potentially unwanted program by 23 anti-malware scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from callfor.info. While running, it connects to the Internet address static.78.147.9.176.clients.your-server.de on port 45550.
MD5:
8ac0cc33ddc9fbde7b2b67c066a0650b

SHA-1:
6901a90ebf027d3f091170ecf344e96602ab250e

SHA-256:
1d8fe57260246957f0b81af3d6cd689909494cb903f625cd95bf511a7c64ce2e

Scanner detections:
23 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/16/2024 12:54:29 AM UTC  (today)

Scan engine
Detection
Engine version

AegisLab AV Signature
Troj.Generic
2.1.4+

Agnitum Outpost
Riskware.BitCoinMiner
7.1.1

avast!
Win64:Rootkit-gen [Rtk]
2014.9-150822

AVG
BitCoinMiner.D
2016.0.3010

Baidu Antivirus
Hacktool.Win64.BitCoinMiner
4.0.3.15822

Bitdefender
Rootkit.15355
1.0.20.1415

Clam AntiVirus
Win.Trojan.Bitcoinminer-81
0.98/21511

Dr.Web
Tool.BtcMine.420
9.0.1.0234

ESET NOD32
Win64/BitCoinMiner.U potentially unsafe (variant)
9.12131

G Data
Win64.Riskware.BitCoinMiner
15.8.25

herdProtect (fuzzy)
variant of idman.exe
2015.10.10.22

IKARUS anti.virus
not-a-virus:RiskTool.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.184.13727

Kaspersky
not-a-virus:RiskTool.Win64.BitCoinMiner
14.0.0.1545

McAfee
RDN/Generic PUP.x!c2i
5600.6616

MicroWorld eScan
Rootkit.15355
16.0.0.849

NANO AntiVirus
Riskware.Win64.BtcMine.deywin
0.28.2.62671

Panda Antivirus
Generic Suspicious
15.08.22.01

Qihoo 360 Security
Win32/Virus.RiskTool.f33
1.0.0.1015

Quick Heal
RiskTool.Win64.ra (Not a Virus)
10.15.14.00

Sophos
Internet Download Manager - Miner (PUA)
4.98

Trend Micro House Call
TROJ_GEN.R047C0EJ514
7.2.283

Zillya! Antivirus
Tool.BitCoinMiner.Win64.3
2.0.0.2364

File size:
503.5 KB (515,584 bytes)

File type:
Executable application (Win64 EXE)

Common path:
C:\windows\sys\windowsdefender.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
2.24

CTPH (ssdeep):
12288:IVOEGAlH4s/FFRf725x8zHWt2/BSvHLWq1blj/UY0nTRCgu:IVfHX/FFRzJjc2/4vrWq1RAYyTI

Entry address:
0x1500

Entry point:
48, 83, EC, 28, 48, 8B, 05, 15, 3A, 07, 00, C7, 00, 00, 00, 00, 00, E8, 6A, 95, 05, 00, E8, 95, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 48, 83, EC, 38, 4C, 89, 4C, 24, 58, 4C, 8D, 4C, 24, 58, 4C, 89, 4C, 24, 28, E8, D8, 9E, 05, 00, 48, 83, C4, 38, C3, 0F, 1F, 00, 56, 53, 48, 83, EC, 28, 48, 85, C9, 74, 75, 83, 39, 01, 48, 89, CB, 74, 3D, 66, 66, 66, 66, 2E, 0F, 1F, 84, 00, 00, 00, 00, 00, 48, 89, D9, 48, C7, 03, 00, 00, 00, 00, 48, C7, 43, 08, 00, 00...
 
[+]

Code size:
388 KB (397,312 bytes)

The file windowsdefender.exe has been seen being distributed by the following URL.

http://callfor.info/WindowsDefender.exe

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to static.145.2.9.176.clients.your-server.de  (176.9.2.145:45550)

TCP:
Connects to 195-154-181-121.rev.poneytelecom.eu  (195.154.181.121:45550)

TCP:
Connects to static.78.147.9.176.clients.your-server.de  (176.9.147.78:45550)

TCP:
Connects to static.243.47.9.176.clients.your-server.de  (176.9.47.243:45550)

TCP:
Connects to static.178.147.9.176.clients.your-server.de  (176.9.147.178:45550)

Remove windowsdefender.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.