» winsetupt.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)

winsetupt.exe

The application winsetupt.exe has been detected as a potentially unwanted program by 23 anti-malware scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from feidowns.com.

File name:

winsetupt.exe

MD5:

67efafb01ddc8853c43a958d4b943397

SHA-1:

a160714da3cd84c762694e5509da906437c82486

SHA-256:

4f270a20723dc885a0067fc836038b0b9ed6237efb7a743e6e2b3c088429669d

Scanner detections:

23 / 68

Status:

Potentially unwanted

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

11/27/2024 9:01:02 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.12254270

759

Agnitum Outpost

Riskware.HackTool

7.1.1

avast!

Win64:Malware-gen

2014.9-150107

AVG

Win32/DH

2016.0.3237

Baidu Antivirus

Hacktool.Win64.BitCoinMiner

4.0.3.1517

Bitdefender

Trojan.Generic.12254270

1.0.20.35

Emsisoft Anti-Malware

Trojan.Generic.12254270

8.15.01.07.10

ESET NOD32

Win64/BitCoinMiner (variant)

9.10964

Fortinet FortiGate

Adware/BitCoinMiner

1/7/2015

F-Secure

Trojan.Generic.12254270

11.2015-07-01_4

G Data

Trojan.Generic.12254270

15.1.24

IKARUS anti.virus

HackTool.Win64.BitCoinMiner

t3scan.1.8.5.0

K7 AntiVirus

Trojan

13.1814525

Kaspersky

HackTool.Win64.BitCoinMiner

14.0.0.2678

McAfee

RDN/Generic PUP.z!ei

5600.6893

MicroWorld eScan

Trojan.Generic.12254270

16.0.0.21

nProtect

Trojan.Generic.12254270

15.01.02.01

Panda Antivirus

Trj/CI.A

15.01.07.10

Quick Heal

HackTool.Win64.r9 (Not a Virus)

1.15.14.00

Reason Heuristics

Threat.Win.Reputation.IMP

15.1.29.8

Trend Micro House Call

TROJ_GEN.R021C0EA115

7.2.7

Trend Micro

TROJ_GEN.R021C0EA115

10.465.07

VIPRE Antivirus

Trojan.Win32.Generic

36372

File size:

589.5 KB (603,648 bytes)

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\appdata\roaming\winsetupt.exe

File PE Metadata

Compilation timestamp:

8/2/1971 10:13:20 PM

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows GUI

Linker version:

2.24

CTPH (ssdeep):

12288:r5zeqUyijNI/Ss/7M4URDt+C42yzZstnl/KwI7dhQirG0cUfUEmnTF:r5bzs2/St4URDt+C4RsovGq8EsTF

Entry address:

0x14B0

Entry point:

48, 83, EC, 28, C7, 05, 82, 32, 09, 00, 01, 00, 00, 00, E8, 3D, 54, 07, 00, E8, B8, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 48, 83, EC, 28, C7, 05, 62, 32, 09, 00, 00, 00, 00, 00, E8, 1D, 54, 07, 00, E8, 98, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 41, 57, 41, 56, 41, 55, 41, 54, 55, 57, 56, 53, 48, 81, EC, D8, 00, 00, 00, BB, 40, 00, 00, 00, 48, 8B, 71, 40, 48, 89, 4C, 24, 28, 48, 89, 54, 24, 30, 4C, 89, 44, 24, 20, 48, 29, F3, 4C, 39, C3, 0F, 87, 79, 87, 00, 00, 48, 8B, 54, 24, 28, 48, 8B, 4A, 48... 
[+]

Code size:

499.5 KB (511,488 bytes)

Startup File (User Run Once)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:

winsetupt

Command:

C:\users\{user}\appdata\roaming\winsetupt.exe

The file winsetupt.exe has been seen being distributed by the following URL.

http://feidowns.com/642.exe

Remove winsetupt.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.