» gen64.exe
Overview
Analysis
File Details
Network (18)

gen64.exe

The executable gen64.exe has been detected as malware by 24 anti-virus scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address xmr9.crypto-pool.fr on port 80 using the HTTP protocol.

File name:

gen64.exe

MD5:

8431e21e4f48be4a4119aef7452e270f

SHA-1:

9df28903fd4014286a774471b2c056f9af0489d5

SHA-256:

50109b609f1efa2099067bc132a22a43a60966e1fc58c2c808e3d44c074da6cb

Scanner detections:

24 / 68

Status:

Malware

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

4/26/2024 12:22:18 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.11581195

860

Agnitum Outpost

Trojan.BitMin

7.1.1

AhnLab V3 Security

Trojan/Win64.ADH

2014.10.13

Baidu Antivirus

Trojan.Win64.BitCoinMiner

4.0.3.15313

Bitdefender

Trojan.Generic.11581195

1.0.20.1350

Emsisoft Anti-Malware

Trojan.Generic.11581195

8.14.09.27.11

ESET NOD32

Win64/BitCoinMiner.AH (variant)

8.10160

Fortinet FortiGate

W64/BitMin.AH!tr

9/27/2014

F-Secure

Trojan.Generic.11581195

11.2014-27-09_7

G Data

Trojan.Generic.11581195

14.9.24

IKARUS anti.virus

Trojan.Win64.BitMin

t3scan.1.6.1.0

Kaspersky

Trojan.Win64.BitMin

14.0.0.3185

MicroWorld eScan

Trojan.Generic.11581195

15.0.0.810

NANO AntiVirus

Trojan.Win64.BitCoinMiner.devhlj

0.28.2.62483

Norman

BitMin.A

11.20140927

nProtect

Trojan.Generic.11477218

14.10.12.01

Panda Antivirus

Trj/Chgt.A

14.09.27.11

Quick Heal

Trojan.Win64.g9

3.15.14.00

Reason Heuristics

Threat.Win.Reputation.IMP

15.3.13.1

Rising Antivirus

PE:Trojan.Win32.Generic.17075C88!386358408

23.00.65.15311

Trend Micro House Call

Suspicious_GEN.F47V0720

7.2.270

Vba32 AntiVirus

Trojan.Win64.BitMin

3.12.26.3

VIPRE Antivirus

Trojan.Win32.Generic

33862

ViRobot

Trojan.Win64.A.BitMin.4550144

2011.4.7.4223

File size:

4.1 MB (4,345,856 bytes)

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\appdata\roaming\gen64\gen64.exe

File PE Metadata

Compilation timestamp:

6/27/2014 9:56:33 AM

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows Console

Linker version:

2.23

CTPH (ssdeep):

49152:OJb6EBsIpths+zdGFGPRrG5hucsmY05PNRFEn37M55Fh5eiARc0HETi+DJG88aIm:/FN7A7ClVVxTicGNa8lk

Entry address:

0x14C0

Entry point:

48, 83, EC, 28, C7, 05, 22, 8B, 42, 00, 00, 00, 00, 00, E8, FD, 73, 25, 00, E8, A8, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, C3, 48, 83, EC, 38, 48, 8D, 54, 24, 2F, 48, 8B, 05, D7, 4B, 42, 00, 48, 8D, 48, E8, E8, 86, F8, 2E, 00, 90, 48, 83, C4, 38, C3, 48, 83, EC, 38, 48, 8D, 54, 24, 2F, 48, 8B, 05, B0, 4B, 42, 00, 48, 8D, 48, E8, E8, 67, F8, 2E, 00, 90, 48, 83, C4, 38, C3, 48, 83, EC, 38, 48, 8D, 54, 24, 2F, 48, 8B, 05, 89, 4B, 42, 00, 48, 8D, 48, E8, E8, 48, F8, 2E, 00, 90, 48, 83, C4, 38, C3, 48, 83... 
[+]

Entropy:

6.4440

Code size:

3.2 MB (3,384,320 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to xmr3.crypto-pool.fr (212.129.27.81:80)

TCP (HTTP):

Connects to 212-129-46-76.rev.poneytelecom.eu (212.129.46.76:80)

TCP (HTTP):

Connects to xmr-tmp6.crypto-pool.fr (212.129.46.87:80)

TCP (HTTP):

Connects to xmr-tmp2.crypto-pool.fr (212.129.46.68:80)

TCP (HTTP):

Connects to xmr9.crypto-pool.fr (212.83.168.41:80)

TCP (HTTP):

Connects to xmr7.crypto-pool.fr (212.129.44.157:80)

TCP (HTTP):

Connects to xmr6.crypto-pool.fr (212.129.44.156:80)

TCP (HTTP):

Connects to xmr.crypto-pool.fr (212.129.46.59:80)

TCP (HTTP):

Connects to qcn.crypto-pool.fr (212.83.168.43:80)

TCP:

Connects to monero.crypto-pool.fr (212.129.9.16:6666)

TCP (HTTP):

Connects to xmr5.crypto-pool.fr (212.129.44.155:80)

TCP (HTTP):

Connects to xmr2.crypto-pool.fr (212.129.27.50:80)

TCP (HTTP):

Connects to xmr10.crypto-pool.fr (212.83.168.42:80)

TCP (HTTP):

Connects to xmr1.crypto-pool.fr (212.129.27.49:80)

TCP (HTTP):

Connects to bbr.crypto-pool.fr (212.83.168.39:80)

TCP:

Connects to mro.extremepool.org (216.119.175.73:5555)

TCP:

Connects to ec2-54-217-109-157.eu-west-1.compute.amazonaws.com (54.217.109.157:3336)

TCP:

Connects to 78-27-112-54.bb.dnainternet.fi (78.27.112.54:3003)

Remove gen64.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.