Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Bitcoinminer.FD

Trojan.Bitcoinminer.FD

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 4,569
Threat Level: 80 % (High)
Infected Computers: 17,797
First Seen: May 5, 2017
Last Seen: April 5, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Bitcoinminer.FD
Signature status: No Signature

Known Samples

MD5: 13a4381abff35515e4daabe4dbab04a6
SHA1: 4903e8615b2870faf6cff545fdcece7a48d53c46
SHA256: 9E91937090A1A32EB4AE32DC199AF2047DF41C60AB1BFDB4E2102A48352EDC89
File Size: 1.07 MB, 1074696 bytes
MD5: ddce5b17e452b0bfe3e5eefdd5ed64b1
SHA1: fb6c58b96270ee8121ba6e4de7bf4008a9f2928d
SHA256: 1DD2C379120D8FF2788707BDEEF5079D88717253E7D8B8D7F809A7A664AF5249
File Size: 541.18 KB, 541184 bytes
MD5: da05f465a1dae22532ce5c6361da592b
SHA1: 0d9ac25cbc80c93fec1e430c124c609a14af570c
SHA256: 1F42427B133B11762346B091F877CB7A9F87E0FF5C00DC1DC1CF045A33C285B1
File Size: 1.93 MB, 1925120 bytes
MD5: a97c99b65d07f4f25ce5d1b36198379d
SHA1: b13f13bd4382a7ee1161f3a79067e9cdf69ba069
SHA256: 8E443B112397C4F10FC8FD66616D2CD05921886618665D26226726AA9B995821
File Size: 2.58 MB, 2576384 bytes
MD5: 4d76120b409107743a06ab42eb3f2299
SHA1: 420937959ecccccaf85cf52c6e8d2f5d59a0f2c1
SHA256: DC90CBE0584F4E9F5BE7293B2C33C5C331E47AA91FD7C0F2D8E425E34E1E3949
File Size: 1.06 MB, 1064960 bytes
Show More
MD5: 16dd5aff41dbaf162f5fb8b12fadb803
SHA1: 8a1bbf1c1f45f76fd553cac40d646fe14baf2198
SHA256: 10A9035B438B8433F5113027F878A7B7E64247B0A90D9CD17338D045E2363F55
File Size: 958.46 KB, 958464 bytes
MD5: 9817b4670acba46577d18c6c281078e7
SHA1: 711e4f32abae10caecdfe63151a94d4651b3b2f9
SHA256: 02771B39E318D20CDA3074CF97F8FE05B5A7625DFF40531AFB97A5223A12E66A
File Size: 1.97 MB, 1971712 bytes
MD5: bb7891ff42dc26a767e5ef4ada76f1a9
SHA1: 2fae2c199fa908632decf7f0c0911500b11488d7
SHA256: F6ECA1822FAFEF30978200FA2392596DABC2A8B7B0A86461D8F8305AD2111A09
File Size: 3.44 MB, 3436544 bytes
MD5: 373a5753b425914c94e480a824e69c72
SHA1: ab0f60fe3d0913e9310afbf625681e628e071449
SHA256: C76DF3920EDDC3CCAE29FA7332850CB512D87473BCCB642E07EA40C314570DD9
File Size: 4.55 MB, 4550656 bytes
MD5: 53ec13f9d082df312cf02005f3e336e1
SHA1: 56bd3e9a0cd562beb72d2566892be5e592aa8235
SHA256: 031B73E835C1C3D1759F99970094F44EC46DB4339C9A2B540C917CB47076A53A
File Size: 1.66 MB, 1658880 bytes
MD5: c10d6134d3d7b3fbd776b4ed5046e857
SHA1: ea0f18615810e82957d5b46e650dcd75fd365e3c
SHA256: ABA73CE2C278E9CEE072A0541BF222127F4EC47FEBBD67A32384E3763C2068D2
File Size: 630.27 KB, 630272 bytes
MD5: c8a583d1e888541a8372ed328a287769
SHA1: a895413ee5bdb696c96965bff84ac152f6bf838f
SHA256: 3EFC65AA02CD4AC0B86F1E61D34B60F832EC98D61F3CA776BD65E235705626DA
File Size: 1.41 MB, 1411768 bytes
MD5: 2a2998a6b13cc23c6cc473df9c51ed3e
SHA1: 9df39d3a7831c7bd12fd8bbf8abd06c1cc4cbca8
SHA256: E11617C828C35BED4663233F865A6B4B91240AB19B2A35F4DCE869AA45B615D2
File Size: 5.43 MB, 5427001 bytes
MD5: 1ccb9583042ffeb5116252b5b8b52bb5
SHA1: d993ded712510d2aa880b9f701945db65ccc7c87
SHA256: 1A4FD174F2EF45D72038610C5DDE7F5F3BEF82F0AAB4C37E56E022ED369E0F5E
File Size: 1.90 MB, 1900544 bytes
MD5: 02b5ec7c03cdb95af2c2128e6ccc89f8
SHA1: 5555fa9ad528b5cc4cc6408ecf50038a6884d9a0
SHA256: C41823EB7F221086117DD9E3EEAF1DBD21D77171B4618C16DEC11922A0F3E561
File Size: 2.77 MB, 2766336 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Comments
  • Microsoft Corporation
  • RuntimeBroker
  • This installation was built with Inno Setup.
  • Windows 服务主进程
  • 本机硬件信息
  • 本程序使用易语言编写(http://www.eyuyan.com)
Company Name
  • fransis wolf
  • Microsoft Corporation
  • RuntimeBroker
  • Synaptics
  • 优捷易_51Cxsoft.com
  • 网易公司
File Description
  • minesweeper Setup
  • Synaptics Pointing Device Driver
  • Windows host process (Rundll32)
  • Windows 服务主进程
  • 定制功能update
  • 应用程序
  • 易语言助手 - 词库管理程序
  • 本机硬件信息
  • 网易有道翻译安装程序
File Version
  • 10.2.0.0
  • 8.9.8.9
  • 1.9.1.413
  • 1.0.19041.1648
  • 1.0.0.4
  • 1.0.0.0
Legal Copyright
  • (C) 网易公司
  • @ Microsoft Corporation. All rights reserved.
  • Copyright(C) 2013-2026 51Cxsoft.com 版权所有
  • RuntimeBroker
  • 作者版权所有 请尊重并使用正版
Product Name
  • GEE系列插件
  • Microsoft@ Windows@ Operating System
  • minesweeper
  • RuntimeBroker
  • Synaptics Pointing Device Driver
  • Windows 服务主进程
  • 本机硬件信息
  • 网易有道翻译
  • 词库管理程序
Product Version
  • 8.9.8.9
  • 1.9.1.413
  • 1.0.19041.1648
  • 1.0.0.0

Digital Signatures

Signer Root Status
Copyright(C) 2013-2026 51Cxsoft.com 版权所有 Copyright(C) 2013-2026 51Cxsoft.com 版权所有 Self Signed
JetBrains s.r.o. thawte Primary Root CA Hash Mismatch
JetBrains s.r.o. thawte Primary Root CA Hash Mismatch

File Traits

  • 2+ executable sections
  • dll
  • HighEntropy
  • Installer Manifest
  • MPRESS Win32
  • Native MPRESS x86
  • No Version Info
  • packed
  • WriteProcessMemory
  • x86

Block Information

Total Blocks: 2,559
Potentially Malicious Blocks: 436
Whitelisted Blocks: 1,984
Unknown Blocks: 139

Visual Map

x x ? x ? x 0 ? 0 0 x x x 0 0 ? x ? ? ? ? ? ? ? ? ? x ? ? x x ? ? x ? ? 0 ? x ? ? ? ? ? ? x x ? x ? 0 x ? x x ? ? ? ? x ? 0 ? ? ? 0 0 ? x x ? ? ? ? ? x ? ? ? ? ? ? ? x ? x ? ? 0 ? 0 ? 0 x ? ? x x ? x ? ? ? ? ? ? ? ? ? ? ? ? ? 0 x ? ? x ? ? ? ? 0 ? x x ? ? ? ? x x x x ? 0 ? ? ? ? ? ? ? ? ? ? x x 0 ? ? ? ? ? ? ? x x 0 x ? ? x x x ? ? ? x x ? ? x x x x x ? x ? ? x x x x x ? ? x x x x x ? x x x x x x ? ? ? ? ? ? ? ? ? ? ? ? x x x x x x x x ? ? ? ? ? x x x ? x x x x x 0 x x 0 x x x 0 x x x 0 x x 0 x x x x x x x x x x x 0 0 x x 0 x x x x 0 0 0 x 0 x 0 x 0 0 x 0 0 x x x x x x x x x x x 0 x x x x x x x x 0 x x x 0 x x x 0 x x x x 0 x x x x 0 x x x x x x x x x x x x x 0 x x x x x 0 x x x x x 0 0 x 0 0 x 0 x x 0 0 x x x 0 0 0 0 x 0 0 x x x x x x 0 0 x 0 0 x 0 x x x 0 x x x x x 0 x 0 x x x x x x x x x x x x x 0 x x x x x x 0 0 x x 0 x x 0 0 0 x 0 x x x 0 0 x 0 x x x x x x x x x x x x x x x x x x x 0 0 x 0 0 x x 0 x 0 x 0 0 0 x x x x x x 0 0 x x x x x x 0 0 0 x 0 0 x x x x x x x 0 x x 0 x x x x 0 x x 0 x x x x 0 x x 0 x 0 x 0 0 0 x 0 x x x 0 0 0 x x x x x x x x x x x x x x x x 0 0 0 x x 0 x x 0 x ? 0 0 x x 0 0 x 0 0 x x 0 0 x x 0 0 x 0 0 0 x x 0 0 0 x x 0 x 0 0 x x x 0 x 0 0 x x 0 x 0 0 0 0 0 x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 x 0 0 0 x 0 x x x 0 0 0 0 0 0 0 x x x x x x 0 0 x x x x x x x x x x x x x 0 0 0 0 x x x x x x x x x x 0 0 x x x x 0 x x x x x x x x x x x x x x x x x x 0 x x x x x x x x x 0 x x x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x 0 x x 0 0 x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 x 0 x 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? 0 0 0 0 0 0 ? 0 ? 0 ? ? 0 0 1 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 1 0 0 0 0 0 2 2 0 0 1 0 0 0 2 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 2 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Bitcoinminer.FD
  • CoinMiner.BB
  • Emotet.AAJ
  • Emotet.AAL
  • FlyStudio.CA
Show More
  • Kryptik.FHE
  • Tofsee.BP
  • Upatre.WIA

Files Modified

File Attributes
c:\program files\common files\system\symsrv.dll Generic Write,Read Attributes
c:\programdata\synaptics Synchronize,Write Attributes
c:\programdata\synaptics\rcxbf6d.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\synaptics\synaptics.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\synaptics\synaptics.exe Synchronize,Write Attributes
c:\programdata\synaptics\synaptics.exe Synchronize,Write Data
c:\users\user\appdata\local\temp\a1d26e2\a37df341ed0.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-3n66u.tmp\9df39d3a7831c7bd12fd8bbf8abd06c1cc4cbca8_0005427001.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\uttftia.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\winsl Synchronize,Write Attributes
Show More
c:\users\user\appdata\roaming\winsl\l1\24\2026 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\._cache_711e4f32abae10caecdfe63151a94d4651b3b2f9_0001971712 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\._cache_711e4f32abae10caecdfe63151a94d4651b3b2f9_0001971712 Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::synaptics pointing device driver C:\ProgramData\Synaptics\Synaptics.exe RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserObjectInformation
Network Winsock2
  • WSAStartup
  • WSAttemptAutodialName
Service Control
  • OpenSCManager
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
Process Manipulation Evasion
  • NtUnmapViewOfSection
Network Winhttp
  • WinHttpOpen
Network Wininet
  • InternetOpen
  • InternetOpenUrl
  • InternetReadFile
Network Winsock
  • bind
  • closesocket
  • gethostbyname
  • getsockname
  • socket
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtQueryAttributesFile
Show More
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWriteFile

Shell Command Execution

runas c:\users\user\downloads\._cache_711e4f32abae10caecdfe63151a94d4651b3b2f9_0001971712
runas C:\ProgramData\Synaptics\Synaptics.exe InjUpdate
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\2fae2c199fa908632decf7f0c0911500b11488d7_0003436544.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\56bd3e9a0cd562beb72d2566892be5e592aa8235_0001658880.,LiQMAxHB
"C:\Users\Icetxdor\AppData\Local\Temp\is-3N66U.tmp\9df39d3a7831c7bd12fd8bbf8abd06c1cc4cbca8_0005427001.tmp" /SL5="$602B8,5030701,54272,c:\users\user\downloads\9df39d3a7831c7bd12fd8bbf8abd06c1cc4cbca8_0005427001"
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5555fa9ad528b5cc4cc6408ecf50038a6884d9a0_0002766336.,LiQMAxHB

Related Posts

Trending

Most Viewed

Loading...