» steam
Overview
Analysis
File Details
Network (4)

steam

The file steam has been detected as a potentially unwanted program by 15 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address sa0847.azar-a.net on port 9001.

File name:

steam

MD5:

f9e9386140565d3d9fa41b04563f57c9

SHA-1:

4047dada8d8734a2c49548a6fd3a59defd305dba

SHA-256:

64da31f722878ed5987f3805e2086686f66b39e97376c43413357849907a7b73

Scanner detections:

15 / 68

Status:

Potentially unwanted

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

4/23/2024 10:46:28 PM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Riskware.BitCoinMiner

7.1.1

Avira AntiVirus

TR/BitCoinMiner.1437836

3.6.1.96

AVG

Generic_s

2016.0.3152

Baidu Antivirus

Hacktool.Win32.BitCoinMiner

4.0.3.141224

Dr.Web

Trojan.BtcMine.653

9.0.1.092

ESET NOD32

Win32/BitCoinMiner.BY (variant)

8.10923

Fortinet FortiGate

Riskware/BitCoinMiner

4/2/2015

Kaspersky

not-a-virus:RiskTool.Win32.BitCoinMiner

14.0.0.2253

McAfee

Artemis!F9E938614056

5600.6906

NANO AntiVirus

Riskware.Win32.BitCoinMiner.dnyuyr

0.30.8.659

Quick Heal

RiskTool.BitCoinMiner.g12 (Not a Virus)

4.15.14.00

Sophos

Generic PUA EA

4.98

Trend Micro House Call

Suspicious_GEN.F47V1219

7.2.358

Trend Micro

TROJ_GEN.R00UC0OAK15

10.465.02

VIPRE Antivirus

Trojan.Win32.Generic

38896

File size:

1.4 MB (1,437,836 bytes)

Common path:

C:\users\{user}\appdata\roaming\identities\codexi\steam

File PE Metadata

Compilation timestamp:

12/16/2014 11:39:18 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.22

CTPH (ssdeep):

24576:ilynWPGz5ByMIDpPOxWFjMeK03oCirV6Opov2W67prJGiMrakF+zvNsc+O:ilynWPGzzyMIDpPOxWbsCI6OpxVrJ1CI

Entry address:

0x1284

Entry point:

55, 89, E5, 83, EC, 18, C7, 04, 24, 02, 00, 00, 00, FF, 15, C0, 64, 52, 00, E8, 64, FD, FF, FF, 55, 89, E5, 83, EC, 08, A1, F8, 64, 52, 00, C9, FF, E0, 66, 90, 55, 89, E5, 83, EC, 08, A1, D8, 64, 52, 00, C9, FF, E0, 90, 90, 55, 89, E5, 83, EC, 18, C7, 04, 24, 00, 30, 4D, 00, E8, 1A, AE, 0C, 00, 52, 85, C0, 74, 65, C7, 44, 24, 04, 13, 30, 4D, 00, 89, 04, 24, E8, 0D, AE, 0C, 00, 83, EC, 08, 85, C0, 74, 11, C7, 44, 24, 04, 08, E0, 51, 00, C7, 04, 24, 00, 20, 51, 00, FF, D0, 8B, 0D, A0, 27, 4D, 00, 85, C9, 74... 
[+]

Code size:

830 KB (849,920 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP:

Connects to sa0847.azar-a.net (91.219.238.136:9001)

TCP:

Connects to ms644.moonshot.servdiscount-customer.com (89.163.220.137:9001)

TCP:

Connects to no-hostname.azar-a.net (91.219.239.125:9001)

Remove steam - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.