» vc_redist(x64).exe
Overview
Analysis
File Details
Behaviors (1)
Network (4)

vc_redist(x64).exe

The application vc_redist(x64).exe has been detected as a potentially unwanted program by 28 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Visual C++ Redistributable 2010 - x64’. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address ip-172-26-136-19.ec2.internal on port 80 using the HTTP protocol.

File name:

vc_redist(x64).exe

MD5:

b548d37e703007704d43c1e1b3c689b7

SHA-1:

0b95433f5e88cce43cd48830828d46c47939b909

SHA-256:

19d17eeead1f06f85cca1fd86408ee2c93a17ca84a644e7805d6e1c0b255caac

Scanner detections:

28 / 68

Status:

Potentially unwanted

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

4/27/2024 12:05:25 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.11130624

918

Agnitum Outpost

Trojan.Graftor

7.1.1

AhnLab V3 Security

Trojan/Win32.BitCoinMiner

14.07.31

Avira AntiVirus

APPL/Graftor.120316.25

7.11.128.170

avast!

Java:BitCoinMiner-A [PUP]

2014.9-140731

Baidu Antivirus

Hacktool.Win32.Sniffer

4.0.3.14731

Bitdefender

Trojan.Generic.11130624

1.0.20.1060

Comodo Security

Application.Win32.BitCoinMiner.~JO

17723

Dr.Web

Tool.BtcMine.83

9.0.1.0212

Emsisoft Anti-Malware

Trojan.Generic.11130624

8.14.07.31.06

ESET NOD32

Win32/CoinMiner.MB (variant)

8.9728

Fortinet FortiGate

W32/CoinMiner.MB!tr

7/31/2014

F-Secure

Trojan.Generic.11130624

11.2014-31-07_5

G Data

Trojan.Generic.11130624

14.7.24

IKARUS anti.virus

Trojan.SuspectCRC

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.175.11046

Kaspersky

not-a-virus:NetTool.Win32.Sniffer

14.0.0.3476

Malwarebytes

PUP.Optional.Cgminer

v2014.07.31.06

McAfee

Artemis!A6C13156E631

5600.7052

MicroWorld eScan

Trojan.Generic.11130624

15.0.0.636

NANO AntiVirus

Riskware.Win32.BitCoinMiner.cqzktk

0.28.0.57473

nProtect

Trojan.Generic.11130624

14.04.27.01

Panda Antivirus

Trj/Genetic.gen

14.07.31.06

Qihoo 360 Security

Win32/Virus.Sniffer.b91

1.0.0.1015

Quick Heal

NetTool.Sniffer.g8 (Not a Virus)

7.14.14.00

Sophos

Generic PUA MD

4.97

Trend Micro House Call

TROJ_GEN.R08NH07B214

7.2.212

VIPRE Antivirus

Trojan.Win32.Generic

28622

File size:

2.7 MB (2,784,768 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\vc_redist(x64).exe

File PE Metadata

Compilation timestamp:

6/20/1992 12:22:17 AM

OS version:

1.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

49152:Nfm9P4QIjvzui9NFZEv5heTP/MPEtMswFUlVGBjXQuxiMJbEt:Nfm9gSi0hhQ8EybUlVyXTLw

Entry address:

0x2473C

Entry point:

55, 8B, EC, 83, C4, F0, 33, C0, 89, 45, F0, B8, 84, 44, 42, 00, E8, FF, 03, FE, FF, 33, C0, 55, 68, E4, 47, 42, 00, 64, FF, 30, 64, 89, 20, 8D, 55, F0, B8, 01, 00, 00, 00, E8, 50, 23, FE, FF, 8B, 45, F0, BA, F8, 47, 42, 00, E8, DF, EB, FD, FF, 75, 18, 6A, 00, 68, FC, 47, 42, 00, 68, 08, 48, 42, 00, 6A, 00, E8, FE, 08, FE, FF, E8, FD, E7, FD, FF, B2, 01, A1, 44, ED, 41, 00, E8, 0D, A6, FF, FF, 8B, 15, 38, 58, 42, 00, 89, 02, A1, 38, 58, 42, 00, 8B, 00, 8B, 40, 04, E8, 26, 8D, FE, FF, A1, 5C, 58, 42, 00, E8... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

142.5 KB (145,920 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Visual C++ Redistributable 2010 - x64

Command:

C:\users\{user}\appdata\roaming\vc_redist(x64).exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ip-172-26-136-17.ec2.internal (172.26.136.17:80)

TCP (HTTP):

Connects to ec2-54-72-52-58.eu-west-1.compute.amazonaws.com (54.72.52.58:80)

TCP (HTTP):

Connects to ip-172-26-136-19.ec2.internal (172.26.136.19:80)

TCP (HTTP):

Connects to ip-50-63-202-63.ip.secureserver.net (50.63.202.63:80)

Remove vc_redist(x64).exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.