» deamon.exe
Overview
Analysis
File Details
Network (5)

deamon.exe

The application deamon.exe has been detected as a potentially unwanted program by 25 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address mail.litecoinpool.org on port 3333.

File name:

deamon.exe

MD5:

640715b013a5ee3646129fc00d58caf8

SHA-1:

91eb79bffdd7524bfc80f367cb958616534ed3e6

SHA-256:

9d9ad9271e3fc4ad67106e0c51da3e92de6d1cc017797919e7ad1511fd0b6586

Scanner detections:

25 / 68

Status:

Potentially unwanted

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

4/19/2024 9:42:39 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Bitcoinminer.F

1043

Agnitum Outpost

Riskware.Agent

7.1.1

Avira AntiVirus

SPR/BitCoin.aged

7.11.139.188

avast!

Win32:BitCoinMiner-FA [PUP]

2014.9-140329

Bitdefender

Application.Bitcoinminer.F

1.0.20.440

Comodo Security

Application.Win32.Bitcoinminer.~F

18006

Dr.Web

Tool.BtcMine.284

9.0.1.088

ESET NOD32

Win32/BitCoinMiner.AX (variant)

8.9607

Fortinet FortiGate

Riskware/BitCoinMiner

3/29/2014

F-Secure

Application.Bitcoinminer.F

11.2014-29-03_7

G Data

Application.Bitcoinminer

14.3.24

IKARUS anti.virus

Win32.SuspectCrc

t3scan.2.2.29

K7 AntiVirus

Trojan

13.176.11584

Kaspersky

not-a-virus:RiskTool.Win32.BitCoinMiner

14.0.0.4099

Malwarebytes

Riskware.BitcoinMiner

v2014.03.29.05

McAfee

RDN/Generic PUP.x!bwf

5600.7177

MicroWorld eScan

Application.Bitcoinminer.F

15.0.0.264

NANO AntiVirus

Riskware.Win32.BitCoinMiner.cuwlis

0.28.0.58720

Norman

BitCoinMiner.STR

11.20140329

Panda Antivirus

Trj/dtcontx.L

14.03.29.05

Quick Heal

RiskTool.BitCoinMiner.heu (Not a Virus)

3.14.12.00

Sophos

Generic PUA JB

4.98

Trend Micro House Call

TROJ_GEN.F47V0228

7.2.88

VIPRE Antivirus

Trojan.Win32.Generic

27794

XVirus List

Win.Detected

2.3.31

File size:

188 KB (192,512 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\deamon.exe

File PE Metadata

Compilation timestamp:

2/27/2014 11:42:12 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows Console

Linker version:

2.23

CTPH (ssdeep):

3072:oHidscHrfc99K+WjK8LXerhMmCBFRyVj7Ahf8xmszPc:oHpUfSB8LXerhMmCBF3JvSP

Entry address:

0x14C0

Entry point:

83, EC, 0C, C7, 05, 9C, 03, 43, 00, 00, 00, 00, 00, E8, EE, 00, 02, 00, 83, C4, 0C, E9, A6, FC, FF, FF, 90, 90, 90, 90, 90, 90, 55, 89, E5, 83, EC, 18, A1, 44, C7, 42, 00, 85, C0, 74, 3C, C7, 04, 24, 00, D0, 42, 00, FF, 15, F8, 22, 43, 00, BA, 00, 00, 00, 00, 83, EC, 04, 85, C0, 74, 16, C7, 44, 24, 04, 0E, D0, 42, 00, 89, 04, 24, FF, 15, 00, 23, 43, 00, 83, EC, 08, 89, C2, 85, D2, 74, 09, C7, 04, 24, 44, C7, 42, 00, FF, D2, C9, C3, 8D, 76, 00, 55, 89, E5, 5D, C3, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90... 
[+]

Code size:

170 KB (174,080 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP:

Connects to ip218.ip-91-134-223.eu (91.134.223.218:3333)

TCP:

Connects to ip231.ip-91-134-223.eu (91.134.223.231:3333)

TCP:

Connects to 149-210-234-234.colo.transip.net (149.210.234.234:3333)

TCP:

Connects to mail.litecoinpool.org (88.80.187.187:3333)

TCP (HTTP):

Connects to dmpro-ca-01.fooservers.com (167.114.156.214:80)

Remove deamon.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.