» vc_redist(x86).exe
Overview
Analysis
File Details
Behaviors (1)
Network (5)

vc_redist(x86).exe

The application vc_redist(x86).exe has been detected as a potentially unwanted program by 23 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Visual C++ Redistributable 2010’. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address ip-172-26-136-19.ec2.internal on port 80 using the HTTP protocol.

File name:

vc_redist(x86).exe

MD5:

cd8d5c604f5ac93cbb4a7da66e5eeb24

SHA-1:

8fc7310d739a3a9e826f58df15d99c14744d241a

SHA-256:

6224fcd79ad6d1da14042dc50b38f7099be7762c647dacd6d7b7415351b6f09b

Scanner detections:

23 / 68

Status:

Potentially unwanted

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

4/25/2024 3:39:40 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.11135288

918

Agnitum Outpost

Trojan.Graftor

7.1.1

AhnLab V3 Security

Trojan/Win32.BitCoinMiner

2014.07.29

Avira AntiVirus

APPL/Graftor.120316.25

7.11.164.86

avast!

SFX:Dropper-CO [Drp]

2014.9-140731

Baidu Antivirus

Hacktool.Win32.Sniffer

4.0.3.14731

Comodo Security

UnclassifiedMalware

19010

Dr.Web

Trojan.DownLoader9.22516

9.0.1.0212

ESET NOD32

Win32/CoinMiner.MB (variant)

8.10169

Fortinet FortiGate

W32/CoinMiner.MB!tr

7/31/2014

G Data

Trojan.Generic.11135288

14.7.24

IKARUS anti.virus

Trojan.SuspectCRC

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.181.12872

Kaspersky

not-a-virus:NetTool.Win32.Sniffer

14.0.0.3476

McAfee

Artemis!CD8D5C604F5A

5600.7052

MicroWorld eScan

Trojan.Generic.11135288

15.0.0.636

NANO AntiVirus

Riskware.Win32.BitCoinMiner.cqzktk

0.28.2.61148

nProtect

Trojan.Generic.11135288

14.07.28.01

Qihoo 360 Security

Win32/Trojan.48f

1.0.0.1015

Quick Heal

NetTool.Sniffer.g8 (Not a Virus)

7.14.14.00

Rising Antivirus

PE:Trojan.Win32.Generic.1683EBC6!377744326

23.00.65.14729

Trend Micro

TROJ_GEN.R0CBC0EE514

10.465.31

VIPRE Antivirus

Trojan.Win32.Generic

31710

File size:

5 MB (5,269,504 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\vc_redist(x86).exe

File PE Metadata

Compilation timestamp:

6/20/1992 12:22:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

98304:tNmmxTgfm9gSi0hhQ8EybUlVyXTLwd4U5mr4U5mr4U5mr4U5m:tNmbmGSZc8ENVynwqggg

Entry address:

0x2FFE8

Entry point:

55, 8B, EC, 83, C4, F0, 33, C0, 89, 45, F0, B8, 78, FC, 42, 00, E8, 43, 55, FD, FF, 33, C0, 55, 68, 90, 00, 43, 00, 64, FF, 30, 64, 89, 20, 8D, 55, F0, B8, 01, 00, 00, 00, E8, 44, 75, FD, FF, 8B, 45, F0, BA, A4, 00, 43, 00, E8, 23, 35, FD, FF, 75, 18, 6A, 00, 68, A8, 00, 43, 00, 68, B4, 00, 43, 00, 6A, 00, E8, 7A, 5A, FD, FF, E8, 9D, 30, FD, FF, B2, 01, A1, 10, 92, 42, 00, E8, 29, 92, FF, FF, 8B, 15, 7C, 19, 43, 00, 89, 02, A1, 7C, 19, 43, 00, 8B, 00, 8B, 40, 04, E8, 16, F4, FD, FF, A1, B4, 19, 43, 00, E8... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

188.5 KB (193,024 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Visual C++ Redistributable 2010

Command:

C:\users\{user}\appdata\roaming\vc_redist(x86).exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ip-172-26-136-17.ec2.internal (172.26.136.17:80)

TCP (HTTP):

Connects to hdc86-35-3-193.romtelecom.net (86.35.3.193:80)

TCP (HTTP):

Connects to ip-172-26-136-19.ec2.internal (172.26.136.19:80)

TCP (HTTP):

Connects to srv03.hotlog.ru (95.163.105.103:80)

TCP (HTTP):

Connects to client.hopone.net (74.84.130.64:80)

Remove vc_redist(x86).exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.