Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 13, 2021, 9:25 a.m.	Sept. 13, 2021, 9:27 a.m.

Size	573.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`eda88d322065a9b364e4be013bb849f4`
SHA256	`78d02713e4ac21a18050820c90104b9aaf6e34d9fb5e7bb95f8cfeb87fef4430`
CRC32	`D7BB333E`
ssdeep	`12288:mihUQ04kkhWAkyvg/2g3uOEgDDa7H1hFInrRStkbDaYK:mYUQ0uQyA3uuaQ4kb`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

java.exe "C:\Users\test22\AppData\Local\Temp\java.exe"
1108

Name	Response	Post-Analysis Lookup
xmr.f2pool.com	A 203.107.32.162 CNAME gf.f2pool.com	203.107.32.162

IP Address	Status	Action
164.124.101.2	Active	Moloch
203.107.32.162	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49199 -> 203.107.32.162:13531	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 13, 2021, 9:18 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 13, 2021, 9:18 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 13, 2021, 9:18 a.m.		1	1	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004550a4

size

0x000002fc

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0008e800', u'virtual_address': u'0x003c6000', u'entropy': 7.999216194387262, u'name': u'UPX1', u'virtual_size': u'0x0008f000'}

entropy

7.99921619439

description

A section with a high entropy has been found

entropy

0.996503496503

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 13, 2021, 9:18 a.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	DeepScan:Generic.Dacic.1.BitCoinMiner.A.BD16E9F4
FireEye	Generic.mg.eda88d322065a9b3
ALYac	DeepScan:Generic.Dacic.1.BitCoinMiner.A.BD16E9F4
Malwarebytes	Trojan.BitCoinMiner.UPX
Cybereason	malicious.22065a
ESET-NOD32	a variant of Win64/CoinMiner.QG potentially unwanted
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Miner.gen
BitDefender	DeepScan:Generic.Dacic.1.BitCoinMiner.A.BD16E9F4
Ad-Aware	DeepScan:Generic.Dacic.1.BitCoinMiner.A.BD16E9F4
Sophos	XMRig Miner (PUA)
Jiangmin	Trojan.Miner.qhg
Antiy-AVL	Trojan/Win32.Miner
Kingsoft	Win32.Troj.Undef.(kcloud)
ZoneAlarm	HEUR:Trojan.Win32.Miner.gen
GData	DeepScan:Generic.Dacic.1.BitCoinMiner.A.BD16E9F4
AhnLab-V3	Win-Trojan/Miner3.Exp
Acronis	suspicious
MAX	malware (ai score=89)
Tencent	Win32.Trojan.Miner.Anzk
SentinelOne	Static AI - Malicious PE

java.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All