Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 10, 2021, 9:19 a.m.	April 10, 2021, 9:21 a.m.

Size	7.0MB
Type	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5	`aa318a599fee3d322d6b5fa6d4b568de`
SHA256	`9b324b9905c4e32ccf5cba0249ab82262173486f6382e170cbf2fafab1846fd9`
CRC32	`6A74B94F`
ssdeep	`98304:A8mbRhIPA7LGtp8c0GgM7hdcMmF2YH09lIyr8Libh8jzacrUfN+yeLEE7iO7pQkS:IGhQL0PKiO9ksDoYdRI`
Yara	create_service - Create a windows service network_udp_sock - Communications over UDP network network_tcp_listen - Listen for incoming communication network_tcp_socket - Communications over RAW socket network_dns - Communications use DNS bitcoin - Perform crypto currency mining escalate_priv - Escalade priviledges keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE64 - (no description) IsConsole - (no description) HasOverlay - Overlay Check

xmrig.exe "C:\Users\test22\AppData\Local\Temp\xmrig.exe"
112

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 10, 2021, 9:19 a.m.	process_identifier: 112 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000027e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Application.Miner.2
FireEye	Generic.mg.aa318a599fee3d32
CAT-QuickHeal	Trojan.CoinMiner
Qihoo-360	Win32/Miner.BitMiner.H8oAwk0A
ALYac	Gen:Variant.Application.Miner.2
Cylance	Unsafe
Zillya	Trojan.Miner.Win32.11970
K7AntiVirus	Riskware ( 005622c31 )
Alibaba	RiskWare:Win64/Miners.33d6b85f
K7GW	Riskware ( 005622c31 )
CrowdStrike	win/malicious_confidence_60% (D)
Cyren	W64/Coinminer.BN.gen!Eldorado
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win64/CoinMiner.PO potentially unwanted
APEX	Malicious
Avast	Win64:CoinminerX-gen [Trj]
ClamAV	Win.Coinminer.Generic-7151250-0
Kaspersky	not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen
BitDefender	Gen:Variant.Application.Miner.2
NANO-Antivirus	Riskware.Win64.BitMiner.iowycx
AegisLab	Riskware.Win32.BitMiner.1!c
Ad-Aware	Gen:Variant.Application.Miner.2
Comodo	ApplicUnwnt@#27bqim17uj78e
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Coinminer.Win64.MALXMR.SMA
McAfee-GW-Edition	BehavesLike.Win64.Generic.vh
Emsisoft	Gen:Variant.Application.Miner.2 (B)
SentinelOne	Static AI - Suspicious PE
Jiangmin	RiskTool.BitMiner.ccsa
Webroot	W32.Trojan.Gen
Gridinsoft	Trojan.Win64.CoinMiner.vb
Microsoft	PUA:Win64/CoinMiner
ZoneAlarm	not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen
GData	Win32.Application.CoinMiner.Y
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win64.XMR-Miner.R226842
Acronis	suspicious
McAfee	GenericRXAA-FA!AA318A599FEE
MAX	malware (ai score=70)
Malwarebytes	RiskWare.BitCoinMiner
TrendMicro-HouseCall	TROJ_GEN.R002H0CC821
Rising	HackTool.XMRMiner!1.C2EC (CLASSIC)
Yandex	Riskware.Agent!DBYU07VOjQ0
Ikarus	PUA.CoinMiner
Fortinet	W64/CoinMiner.PO!tr
AVG	Win64:CoinminerX-gen [Trj]
Cybereason	malicious.99fee3
Panda	Trj/CI.A
MaxSecure	Trojan.Malware.121218.susgen

xmrig.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All