» winnet32b.exe
Overview
Analysis
File Details
Network (1)

winnet32b.exe

The executable winnet32b.exe has been detected as malware by 5 anti-virus scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address theblocksfactory.com on port 9002.

File name:

winnet32b.exe

MD5:

56f634bdb2c336c0cac6092e820bed12

SHA-1:

ff2b7b47ee20142a702aa89587fb640a622c38af

SHA-256:

cbf69e526d2e38e29c8282721b1b9b5d1c4a0b6408f3f864e5244101be66dd37

Scanner detections:

5 / 68

Status:

Malware

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

4/25/2024 5:07:39 PM UTC (today)

Scan engine

Detection

Engine version

Baidu Antivirus

Hacktool.Win64.BitCoinMiner

4.0.3.1536

Dr.Web

hacktool program Tool.BtcMine.591

9.0.1.05190

Emsisoft Anti-Malware

Gen:Application.Heur2.aaW@baaaaaaab

11.5.0.6191

ESET NOD32

Win64/BitCoinMiner.AG potentially unsafe application

8.0.319.0

Norman

Gen:Application.Heur2.tcW@baaaaaaab

22.05.2016 07:18:28

File size:

2.3 MB (2,418,688 bytes)

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\appdata\roaming\microsoft\networking\winnet32b.exe

File PE Metadata

Compilation timestamp:

12/18/2014 2:26:40 PM

OS version:

6.0

OS bitness:

Win64

Subsystem:

Windows Console

Linker version:

12.0

CTPH (ssdeep):

49152:+un2639EdHqs5hYa2nPZMrZ5hhyTrGBZ1T87NpyC:+h5qCaDmC

Entry address:

0x162070

Entry point:

48, 83, EC, 28, E8, F7, 01, 00, 00, 48, 83, C4, 28, E9, 7E, FE, FF, FF, CC, CC, 48, 83, EC, 28, 4D, 8B, 41, 38, 48, 8B, CA, 49, 8B, D1, E8, 0D, 00, 00, 00, B8, 01, 00, 00, 00, 48, 83, C4, 28, C3, CC, CC, CC, 40, 53, 48, 83, EC, 20, 45, 8B, 18, 48, 8B, DA, 4C, 8B, C9, 41, 83, E3, F8, 41, F6, 00, 04, 4C, 8B, D1, 74, 13, 41, 8B, 40, 08, 4D, 63, 50, 04, F7, D8, 4C, 03, D1, 48, 63, C8, 4C, 23, D1, 49, 63, C3, 4A, 8B, 14, 10, 48, 8B, 43, 10, 8B, 48, 08, 48, 03, 4B, 08, F6, 41, 03, 0F, 74, 0C, 0F, B6, 41, 03, 83... 
[+]

Code size:

1.4 MB (1,447,936 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP:

Connects to theblocksfactory.com (176.31.126.191:9002)

Remove winnet32b.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.