» phoenix.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Network (3)

phoenix.exe

The application phoenix.exe has been detected as a potentially unwanted program by 17 anti-malware scanners. This file is typically installed with the program Bitcoin by Bitcoin project. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address v5.srv.eligius.st on port 8337.

File name:

phoenix.exe

MD5:

d38aeeda5d1638e25715a2b67d44ba7d

SHA-1:

5d3e7db9c99f8e2672d44c66739483eebef94c5a

SHA-256:

50a4463e5ddbdfad509c8dd5dbca0858486b8c9af6ae2b89d463b937a582cf53

Scanner detections:

17 / 68

Status:

Potentially unwanted

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

7/14/2025 4:36:19 AM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

SPR/BitCoinMiner.dav

7.11.121.86

avast!

Win32:PUP-gen [PUP]

2014.9-131222

AVG

Skodna.Generic_c

2014.0.3617

Baidu Antivirus

Trojan.Win32.Agent

4.0.3.131222

Bkav FE

W32.Clod73a.Trojan

1.3.0.4613

Comodo Security

ApplicUnsaf.Win32.BitCoinMiner.~A

17482

Dr.Web

Trojan.BtcMine.142

9.0.1.05190

Emsisoft Anti-Malware

Trojan.Win32.CoinMiner

8.13.12.22.06

ESET NOD32

Win32/BitCoinMiner.V potentially unsafe application

6.3.12010.0

Fortinet FortiGate

W32/BitCoinMiner.V

12/22/2013

K7 AntiVirus

Trojan

13.174.10588

Malwarebytes

PUP.Optional.BitCoinMiner

v2013.12.22.06

NANO AntiVirus

Trojan.Win32.BtcMine.cjecrp

0.28.0.57029

Reason Heuristics

Unnamed.Threat.14

14.3.2.16

Trend Micro House Call

TROJ_GEN.F0C2C00IR13

7.2.356

Trend Micro

TROJ_GEN.F0C2C00IR13

10.465.22

Vba32 AntiVirus

Trojan.BitCoinMiner.8113

3.12.24.3

File size:

6.3 MB (6,639,870 bytes)

File type:

Executable application (Win32 EXE)

File PE Metadata

Compilation timestamp:

11/10/2008 3:40:34 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows Console

Linker version:

9.0

CTPH (ssdeep):

196608:LL0IucsxtJ6N7ecFd+JI2yA0OVuawgcOlDJodcRd:LL0vxv6N7n+JmAphwgc+edcRd

Entry address:

0x2B28

Entry point:

E8, 7B, 03, 00, 00, E9, 9F, FD, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 8B, 00, 81, 38, 63, 73, 6D, E0, 75, 2A, 83, 78, 10, 03, 75, 24, 8B, 40, 14, 3D, 20, 05, 93, 19, 74, 15, 3D, 21, 05, 93, 19, 74, 0E, 3D, 22, 05, 93, 19, 74, 07, 3D, 00, 40, 99, 01, 75, 05, E8, D0, 03, 00, 00, 33, C0, 5D, C2, 04, 00, 68, 32, 2B, 40, 00, FF, 15, 28, 40, 40, 00, 33, C0, C3, FF, 25, 08, 41, 40, 00, 6A, 14, 68, 08, 42, 40, 00, E8, 68, 02, 00, 00, FF, 35, 60, 66, 40, 00, 8B, 35, B4, 40, 40, 00, FF, D6, 59, 89, 45, E4, 83, F8... 
[+]

Entropy:

7.7280 (probably packed)

Code size:

8.5 KB (8,704 bytes)

Windows Firewall Allowed Program

Name:

C:\TEMP\phoenix-2.0.0\phoenix.exe

The file phoenix.exe has been discovered within the following program.

Bitcoin by Bitcoin project

Publisher's description - “Bitcoin uses peer-to-peer technology to operate with no central authority; managing transactions and the issuing of bitcoins is carried out collectively by the network.”

www.bitcoin.org

About 9% of users remove it

The executing file has been seen to make the following network communications in live environments.

TCP:

Connects to static.45.38.9.5.clients.your-server.de (5.9.38.45:8332)

TCP:

Connects to static.176.102.76.144.clients.your-server.de (144.76.102.176:8332)

TCP:

Connects to v5.srv.eligius.st (104.131.100.118:8337)

Remove phoenix.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.