home

steam client

The file steam client has been detected as a potentially unwanted program by 4 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address ms644.moonshot.servdiscount-customer.com on port 9001.
MD5:
edd82d7aca7c70851bbcfcb100b1b1ca

SHA-1:
eac991dfd6402c9a69b1d70d999725d9df671827

SHA-256:
29405a34098a89272cf94e9ce9ce3953649574acabd9926d7e7e422b5bba3155

Scanner detections:
4 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
4/29/2024 12:18:46 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Unwanted/Win32.BitCoinMiner
2014.12.13

avast!
Multi:BitCoinMiner-C [PUP]
2014.9-141215

Baidu Antivirus
Hacktool.Win32.BitCoinMiner
4.0.3.141215

ESET NOD32
Win32/BitCoinMiner.BY (variant)
8.10868

File size:
1.4 MB (1,471,488 bytes)

Common path:
C:\users\{user}\appdata\roaming\tuneup software\codexi\steam client

File PE Metadata
Compilation timestamp:
12/5/2014 12:16:50 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
24576:hHER7fBlKHP43duYyMLDHWO9UJNF7MyO679Sirzjn0v4hqw67HrJfmkqpiK/zUvZ:hHExZlKHP4/yMLDHWO9QjLSWjn0v4hiB

Entry address:
0x1284

Entry point:
55, 89, E5, 83, EC, 18, C7, 04, 24, 02, 00, 00, 00, FF, 15, 90, D5, 52, 00, E8, 64, FD, FF, FF, 55, 89, E5, 83, EC, 08, A1, C8, D5, 52, 00, C9, FF, E0, 66, 90, 55, 89, E5, 83, EC, 08, A1, A8, D5, 52, 00, C9, FF, E0, 90, 90, 55, 89, E5, 83, EC, 18, C7, 04, 24, 00, 70, 4D, 00, E8, 7A, 2C, 0D, 00, 52, 85, C0, 74, 65, C7, 44, 24, 04, 13, 70, 4D, 00, 89, 04, 24, E8, 6D, 2C, 0D, 00, 83, EC, 08, 85, C0, 74, 11, C7, 44, 24, 04, 08, 50, 52, 00, C7, 04, 24, 00, 80, 51, 00, FF, D0, 8B, 0D, C0, 67, 4D, 00, 85, C9, 74...
 
[+]

Entropy:
6.3933

Code size:
846.5 KB (866,816 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to no-hostname.azar-a.net  (91.219.239.125:9001)

TCP:
Connects to sa0847.azar-a.net  (91.219.238.136:9001)

TCP:
Connects to ms644.moonshot.servdiscount-customer.com  (89.163.220.137:9001)

Remove steam client - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.