popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

kitten

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 23, 2021, 10:51 a.m. April 23, 2021, 10:53 a.m.
Size 5.7MB
Type ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped
MD5 60b5637b9b22819fab90982f01a36d25
SHA256 b50a6cd058bc0161b847c553b6631e55d5f6dd69e2d2e78f82938aeb6ba4dd26
CRC32 3F2CA076
ssdeep 98304:+WQHP39EyyizGj3j/jM8MMM8MMMMMwMMwbvUvUvkGjrGjDjS62ivVI+Vpv5bDr99:uOyCjp9Fb2HXOB4SlMpDC
Yara
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73770000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x729b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72921000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728e4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x729b2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72c41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x729b2000
process_handle: 0xffffffff
1 0 0
description Affect private profile rule win_files_operation
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE
registry HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\FileAssociations
Process injection Process 872 resumed a thread in remote process 1536
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000028c
suspend_count: 1
process_identifier: 1536
1 0 0
CAT-QuickHeal Elf.Trojan.A1521220
McAfee PUP-XMT-CY
Sangfor Suspicious.Linux.Save.a
Cyren E64/CoinMiner.B.gen!Camelot
Symantec Trojan.Gen.NPE
ESET-NOD32 a variant of Linux/CoinMiner.AV potentially unwanted
TrendMicro-HouseCall Coinminer.Linux.MALXMR.SMDSL64
Avast ELF:BitCoinMiner-HF [Trj]
ClamAV Multios.Coinminer.Miner-6781728-2
Kaspersky not-a-virus:HEUR:RiskTool.Linux.BitCoinMiner.n
NANO-Antivirus Riskware.Elf64.BitCoinMiner.iikikh
AegisLab Riskware.Linux.BitCoinMiner.1!c
Tencent Linux.Risk.Bitcoinminer.Wnwf
Comodo Malware@#2mjk2per7sf2m
DrWeb Tool.Linux.BtcMine.2730
TrendMicro Coinminer.Linux.MALXMR.SMDSL64
McAfee-GW-Edition PUP-XMT-CY
Avast-Mobile ELF:Miner-DM [Trj]
Jiangmin RiskTool.Linux.cdf
Avira LINUX/BitCoinMiner.gshxy
MAX malware (ai score=99)
Microsoft Trojan:Linux/CoinMiner.K
ZoneAlarm not-a-virus:HEUR:RiskTool.Linux.BitCoinMiner.n
GData Linux.Trojan.Agent.G76WI3
Cynet Malicious (score: 99)
AhnLab-V3 Linux/CoinMiner.Gen2
Rising HackTool.XMRMiner!1.C2EC (CLASSIC)
Fortinet Riskware/CoinMiner
AVG ELF:BitCoinMiner-HF [Trj]