» winsetupt.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)

winsetupt.exe

The application winsetupt.exe has been detected as a potentially unwanted program by 23 anti-malware scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from feidowns.com.

File name:

winsetupt.exe

MD5:

45fa642aff7c877e0593ef52b08a73ca

SHA-1:

56da161ebc4ce9fa08c53deea2408ce1367b6aaa

SHA-256:

d3dff567054c0f8e2189f4820d5d9a0afa0e26c7c525233066c921b3232cc2d7

Scanner detections:

23 / 68

Status:

Potentially unwanted

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

11/27/2024 8:51:07 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.12240864

771

Agnitum Outpost

Riskware.HackTool

7.1.1

avast!

Win64:Malware-gen

2014.9-141225

AVG

Win32/DH

2015.0.3249

Baidu Antivirus

Hacktool.Win64.BitCoinMiner

4.0.3.141225

Bitdefender

Trojan.Generic.12240864

1.0.20.1795

Emsisoft Anti-Malware

Trojan.Generic.12254270

8.15.01.29.08

ESET NOD32

Win64/BitCoinMiner (variant)

8.10845

Fortinet FortiGate

Riskware/BitCoinMiner

12/25/2014

F-Secure

Trojan.Generic.12240864

11.2014-25-12_5

G Data

Trojan.Generic.12240864

14.12.24

IKARUS anti.virus

HackTool.Win64.BitCoinMiner

t3scan.1.8.5.0

K7 AntiVirus

Trojan

13.186.14270

Kaspersky

HackTool.Win64.BitCoinMiner

14.0.0.2742

McAfee

Artemis!45FA642AFF7C

5600.6905

MicroWorld eScan

Trojan.Generic.12240864

15.0.0.1077

nProtect

Trojan.Generic.12240864

14.12.08.01

Panda Antivirus

Trj/CI.A

14.12.25.03

Quick Heal

HackTool.Win64.r9 (Not a Virus)

1.15.14.00

Reason Heuristics

Threat.Win.Reputation.IMP

15.1.29.8

Trend Micro House Call

Suspicious_GEN.F47V1201

7.2.359

Trend Micro

TROJ_GEN.R021C0EA115

10.465.29

VIPRE Antivirus

Trojan.Win32.Generic

35540

File size:

589.5 KB (603,648 bytes)

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\appdata\roaming\winsetupt.exe

File PE Metadata

Compilation timestamp:

8/2/1971 10:13:20 PM

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows GUI

Linker version:

2.24

CTPH (ssdeep):

12288:+5zeqUyijNI/Ss/7M4URDt+C42yzZstnl/KwI7dhQirG0GUfUEmnTh:+5bzs2/St4URDt+C4RsovGY8EsTh

Entry address:

0x14B0

Entry point:

48, 83, EC, 28, C7, 05, 82, 32, 09, 00, 01, 00, 00, 00, E8, 3D, 54, 07, 00, E8, B8, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 48, 83, EC, 28, C7, 05, 62, 32, 09, 00, 00, 00, 00, 00, E8, 1D, 54, 07, 00, E8, 98, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 41, 57, 41, 56, 41, 55, 41, 54, 55, 57, 56, 53, 48, 81, EC, D8, 00, 00, 00, BB, 40, 00, 00, 00, 48, 8B, 71, 40, 48, 89, 4C, 24, 28, 48, 89, 54, 24, 30, 4C, 89, 44, 24, 20, 48, 29, F3, 4C, 39, C3, 0F, 87, 79, 87, 00, 00, 48, 8B, 54, 24, 28, 48, 8B, 4A, 48... 
[+]

Code size:

499.5 KB (511,488 bytes)

Startup File (User Run Once)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

winsetupt

Command:

C:\users\{user}\appdata\roaming\winsetupt.exe

The file winsetupt.exe has been seen being distributed by the following URL.

http://feidowns.com/641.exe

Remove winsetupt.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.