deamon.exe

The application deamon.exe has been detected as a potentially unwanted program by 29 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address mail.litecoinpool.org on port 3333.
MD5:
640715b013a5ee3646129fc00d58caf8

SHA-1:
91eb79bffdd7524bfc80f367cb958616534ed3e6

SHA-256:
9d9ad9271e3fc4ad67106e0c51da3e92de6d1cc017797919e7ad1511fd0b6586

Scanner detections:
29 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
8/19/2018 4:24:15 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bitcoinminer.F
1043

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
SPR/BitCoin.aged
7.11.139.188

Antiy Labs AVL
RiskWare[RiskTool:not-a-virus,HEUR]/Win32.BitCoinMiner
0.1.0.1

avast!
Win32:BitCoinMiner-FA [PUP]
2014.9-140329

Bitdefender
Application.Bitcoinminer.F
1.0.20.440

Comodo Security
Application.Win32.Bitcoinminer.~F
18006

Dr.Web
Tool.BtcMine.284
9.0.1.088

ESET NOD32
Win32/BitCoinMiner.AX (variant)
8.9607

Fortinet FortiGate
Riskware/BitCoinMiner
3/29/2014

F-Secure
Application.Bitcoinminer.F
11.2014-29-03_7

G Data
Application.Bitcoinminer
14.3.24

IKARUS anti.virus
Win32.SuspectCrc
t3scan.2.2.29

K7 AntiVirus
Trojan
13.176.11584

K7 Gateway Antivirus
Trojan
13.176.11587

Kaspersky
not-a-virus:RiskTool.Win32.BitCoinMiner
14.0.0.4099

Kingsoft AntiVirus
Win32.Troj.Generic.a.(kcloud)
331020.49267

Malwarebytes
Riskware.BitcoinMiner
v2014.03.29.05

McAfee
RDN/Generic PUP.x!bwf
5600.7177

McAfee Web Gateway
RDN/Generic PUP.x!bwf
7.7177

MicroWorld eScan
Application.Bitcoinminer.F
15.0.0.264

NANO AntiVirus
Riskware.Win32.BitCoinMiner.cuwlis
0.28.0.58720

Norman
BitCoinMiner.STR
11.20140329

Panda Antivirus
Trj/dtcontx.L
14.03.29.05

Quick Heal
RiskTool.BitCoinMiner.heu (Not a Virus)
3.14.12.00

Sophos
Generic PUA JB
4.98

Trend Micro House Call
TROJ_GEN.F47V0228
7.2.88

VIPRE Antivirus
Trojan.Win32.Generic
27794

XVirus List
Win.Detected
2.3.31

File size:
188 KB (192,512 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\deamon.exe

File PE Metadata
Compilation timestamp:
2/27/2014 11:42:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
2.23

CTPH (ssdeep):
3072:oHidscHrfc99K+WjK8LXerhMmCBFRyVj7Ahf8xmszPc:oHpUfSB8LXerhMmCBF3JvSP

Entry address:
0x14C0

Entry point:
83, EC, 0C, C7, 05, 9C, 03, 43, 00, 00, 00, 00, 00, E8, EE, 00, 02, 00, 83, C4, 0C, E9, A6, FC, FF, FF, 90, 90, 90, 90, 90, 90, 55, 89, E5, 83, EC, 18, A1, 44, C7, 42, 00, 85, C0, 74, 3C, C7, 04, 24, 00, D0, 42, 00, FF, 15, F8, 22, 43, 00, BA, 00, 00, 00, 00, 83, EC, 04, 85, C0, 74, 16, C7, 44, 24, 04, 0E, D0, 42, 00, 89, 04, 24, FF, 15, 00, 23, 43, 00, 83, EC, 08, 89, C2, 85, D2, 74, 09, C7, 04, 24, 44, C7, 42, 00, FF, D2, C9, C3, 8D, 76, 00, 55, 89, E5, 5D, C3, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90, 90...
 
[+]

Code size:
170 KB (174,080 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to ip218.ip-91-134-223.eu  (91.134.223.218:3333)

TCP:
Connects to ip231.ip-91-134-223.eu  (91.134.223.231:3333)

TCP:
Connects to 149-210-234-234.colo.transip.net  (149.210.234.234:3333)

TCP:
Connects to mail.litecoinpool.org  (88.80.187.187:3333)

TCP (HTTP):
Connects to dmpro-ca-01.fooservers.com  (167.114.156.214:80)

Remove deamon.exe - Powered by Reason Core Security