gen64.exe

The executable gen64.exe has been detected as malware by 24 anti-virus scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address xmr9.crypto-pool.fr on port 80 using the HTTP protocol.
MD5:
8431e21e4f48be4a4119aef7452e270f

SHA-1:
9df28903fd4014286a774471b2c056f9af0489d5

SHA-256:
50109b609f1efa2099067bc132a22a43a60966e1fc58c2c808e3d44c074da6cb

Scanner detections:
24 / 68

Status:
Malware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
10/15/2019 11:12:47 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.11581195
860

Agnitum Outpost
Trojan.BitMin
7.1.1

AhnLab V3 Security
Trojan/Win64.ADH
2014.10.13

Baidu Antivirus
Trojan.Win64.BitCoinMiner
4.0.3.15313

Bitdefender
Trojan.Generic.11581195
1.0.20.1350

Emsisoft Anti-Malware
Trojan.Generic.11581195
8.14.09.27.11

ESET NOD32
Win64/BitCoinMiner.AH (variant)
8.10160

Fortinet FortiGate
W64/BitMin.AH!tr
9/27/2014

F-Secure
Trojan.Generic.11581195
11.2014-27-09_7

G Data
Trojan.Generic.11581195
14.9.24

IKARUS anti.virus
Trojan.Win64.BitMin
t3scan.1.6.1.0

Kaspersky
Trojan.Win64.BitMin
14.0.0.3185

MicroWorld eScan
Trojan.Generic.11581195
15.0.0.810

NANO AntiVirus
Trojan.Win64.BitCoinMiner.devhlj
0.28.2.62483

Norman
BitMin.A
11.20140927

nProtect
Trojan.Generic.11477218
14.10.12.01

Panda Antivirus
Trj/Chgt.A
14.09.27.11

Quick Heal
Trojan.Win64.g9
3.15.14.00

Reason Heuristics
Threat.Win.Reputation.IMP
15.3.13.1

Rising Antivirus
PE:Trojan.Win32.Generic.17075C88!386358408
23.00.65.15311

Trend Micro House Call
Suspicious_GEN.F47V0720
7.2.270

Vba32 AntiVirus
Trojan.Win64.BitMin
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic
33862

ViRobot
Trojan.Win64.A.BitMin.4550144
2011.4.7.4223

File size:
4.1 MB (4,345,856 bytes)

File type:
Executable application (Win64 EXE)

Common path:
C:\users\{user}\appdata\roaming\gen64\gen64.exe

File PE Metadata
Compilation timestamp:
6/27/2014 9:56:33 AM

OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
2.23

CTPH (ssdeep):
49152:OJb6EBsIpths+zdGFGPRrG5hucsmY05PNRFEn37M55Fh5eiARc0HETi+DJG88aIm:/FN7A7ClVVxTicGNa8lk

Entry address:
0x14C0

Entry point:
48, 83, EC, 28, C7, 05, 22, 8B, 42, 00, 00, 00, 00, 00, E8, FD, 73, 25, 00, E8, A8, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, C3, 48, 83, EC, 38, 48, 8D, 54, 24, 2F, 48, 8B, 05, D7, 4B, 42, 00, 48, 8D, 48, E8, E8, 86, F8, 2E, 00, 90, 48, 83, C4, 38, C3, 48, 83, EC, 38, 48, 8D, 54, 24, 2F, 48, 8B, 05, B0, 4B, 42, 00, 48, 8D, 48, E8, E8, 67, F8, 2E, 00, 90, 48, 83, C4, 38, C3, 48, 83, EC, 38, 48, 8D, 54, 24, 2F, 48, 8B, 05, 89, 4B, 42, 00, 48, 8D, 48, E8, E8, 48, F8, 2E, 00, 90, 48, 83, C4, 38, C3, 48, 83...
 
[+]

Entropy:
6.4440

Code size:
3.2 MB (3,384,320 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to xmr3.crypto-pool.fr  (212.129.27.81:80)

TCP (HTTP):
Connects to 212-129-46-76.rev.poneytelecom.eu  (212.129.46.76:80)

TCP (HTTP):
Connects to xmr-tmp6.crypto-pool.fr  (212.129.46.87:80)

TCP (HTTP):
Connects to xmr-tmp2.crypto-pool.fr  (212.129.46.68:80)

TCP (HTTP):
Connects to xmr9.crypto-pool.fr  (212.83.168.41:80)

TCP (HTTP):
Connects to xmr7.crypto-pool.fr  (212.129.44.157:80)

TCP (HTTP):
Connects to xmr6.crypto-pool.fr  (212.129.44.156:80)

TCP (HTTP):
Connects to xmr.crypto-pool.fr  (212.129.46.59:80)

TCP (HTTP):
Connects to qcn.crypto-pool.fr  (212.83.168.43:80)

TCP:
Connects to monero.crypto-pool.fr  (212.129.9.16:6666)

TCP (HTTP):
Connects to xmr5.crypto-pool.fr  (212.129.44.155:80)

TCP (HTTP):
Connects to xmr2.crypto-pool.fr  (212.129.27.50:80)

TCP (HTTP):
Connects to xmr10.crypto-pool.fr  (212.83.168.42:80)

TCP (HTTP):
Connects to xmr1.crypto-pool.fr  (212.129.27.49:80)

TCP (HTTP):
Connects to bbr.crypto-pool.fr  (212.83.168.39:80)

TCP:
Connects to mro.extremepool.org  (216.119.175.73:5555)

TCP:
Connects to ec2-54-217-109-157.eu-west-1.compute.amazonaws.com  (54.217.109.157:3336)

TCP:
Connects to 78-27-112-54.bb.dnainternet.fi  (78.27.112.54:3003)

Remove gen64.exe - Powered by Reason Core Security