Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 19, 2021, 11:24 a.m.	Sept. 19, 2021, 11:28 a.m.

Size	5.7MB
Type	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5	`4f5bbe6b657b6f5874e99baf62af5555`
SHA256	`05bd66fc4b0f0ee1dda078396665db7eb9ba061d0a15f56cd206228bb2d4b3d2`
CRC32	`41950C79`
ssdeep	`98304:HyItLiklDXC34liTeq9X/LrpPRCJDpHz8ubFfD9bU5YS+LQ6N+kuZK:Ttu8m46LrZRC71bRD9QYJM+a`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

xmrig.exe "C:\Users\test22\AppData\Local\Temp\xmrig.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	vjwaxffy
section	utmkdsey
section	.pdata\x00I

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 19, 2021, 11:24 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x74420470 hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_kernel32_IsDebuggerPresent+0x19 New_kernel32_LoadResource-0x91 @ 0x7442c6b2 xmrig+0xd0629a @ 0x140ac629a 0x38f5b8 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 3732184 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 3632031824 registers.rsp: 3734200 registers.r11: 514 registers.r8: 64 registers.r9: 3732976 registers.rdx: 3733528 registers.r12: 0 registers.rbp: 4866506772 registers.rdi: 5379980956 registers.rax: 3731864 registers.r13: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x002c6800', u'virtual_address': u'0x00001000', u'entropy': 7.938686179088239, u'name': u' \\x00 ', u'virtual_size': u'0x00a1d000'}

entropy

7.93868617909

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x002c9c00', u'virtual_address': u'0x00f08000', u'entropy': 7.962142895061056, u'name': u'vjwaxffy', u'virtual_size': u'0x002ca000'}

entropy

7.96214289506

description

A section with a high entropy has been found

entropy

0.968795170479

description

Overall entropy of this PE file is high

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.807972
FireEye	Generic.mg.4f5bbe6b657b6f58
McAfee	Artemis!4F5BBE6B657B
Cylance	Unsafe
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Generik.NKEREYE potentially unwanted
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Miner.ayfld
BitDefender	Gen:Variant.Razy.807972
Avast	Win64:Malware-gen
Tencent	Win32.Trojan.Miner.Pfjv
Ad-Aware	Gen:Variant.Razy.807972
Emsisoft	Gen:Variant.Razy.807972 (B)
McAfee-GW-Edition	BehavesLike.Win64.Generic.tc
Sophos	Generic PUA FI (PUA)
Avira	TR/Miner.nopuk
Gridinsoft	Trojan.Win64.CoinMiner.vb
Microsoft	Trojan:Win32/Sehyioa.A!cl
GData	Win32.Application.Coinminer.RV5QVZ
Cynet	Malicious (score: 100)
VBA32	Trojan.Miner
MAX	malware (ai score=80)
Zoner	Probably Heur.ExeHeaderH
TrendMicro-HouseCall	TROJ_GEN.R002H09IG21
SentinelOne	Static AI - Suspicious PE
Fortinet	Riskware/Application
Webroot	W32.Malware.Gen
AVG	Win64:Malware-gen
Cybereason	malicious.b657b6
Panda	Trj/CI.A

xmrig.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All