popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

monero-bandit.exe

Malicious Packer Malicious Library PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 14, 2021, 5:18 p.m. Oct. 14, 2021, 5:31 p.m.
Size 2.1MB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 342ef4f2941187bdc7f66d148be0ff75
SHA256 046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395
CRC32 B397B7D7
ssdeep 49152:4HXeSvsEQ2JZpmwDIqg45PHXsjKkms5Z3z3Yu0E2tElJHhU9VWOZH+aM:4jvsW/lDZ5P3sju63p2tERU9VT
Yara
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
pool.supportxmr.com
A 91.121.140.167
A 94.23.247.226
CNAME pool-fr.supportxmr.com
A 37.187.95.110
A 94.23.23.52
A 149.202.83.171
37.187.95.110
IP Address Status Action
164.124.101.2 Active Moloch
37.187.95.110 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49202 -> 37.187.95.110:5555 2024792 ET POLICY Cryptocurrency Miner Checkin Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

section {u'size_of_data': u'0x0020ba00', u'virtual_address': u'0x00002000', u'entropy': 7.9998634116905425, u'name': u'.rdata', u'virtual_size': u'0x0020b887'} entropy 7.99986341169 description A section with a high entropy has been found
entropy 0.998093876579 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 112
region_size: 2146304
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000000d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000000000002c
1 0 0
Process injection Process 2972 manipulating memory of non-child process 112
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 112
region_size: 2146304
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000000d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000000000002c
1 0 0
Lionic Trojan.Win32.Inject.4!c
Elastic malicious (high confidence)
DrWeb Trojan.InjectNET.14
MicroWorld-eScan Trojan.GenericKDZ.78431
FireEye Generic.mg.342ef4f2941187bd
CAT-QuickHeal Trojan.Inject
ALYac Trojan.GenericKDZ.78431
Cylance Unsafe
Sangfor Trojan.Win64.Donut.bcy
K7AntiVirus Trojan ( 005886841 )
Alibaba Trojan:Win64/Donut.eaa89c76
K7GW Trojan ( 005886841 )
CrowdStrike win/malicious_confidence_100% (W)
Cyren W64/Donut.A.gen!Eldorado
ESET-NOD32 a variant of Win32/Agent_AGen.AP
Paloalto generic.ml
Kaspersky Trojan.Win64.Donut.bcy
BitDefender Trojan.GenericKDZ.78431
Avast Win64:TrojanX-gen [Trj]
Tencent Win64.Trojan.Donut.Lhdm
Ad-Aware Trojan.GenericKDZ.78431
Sophos Mal/Generic-S
McAfee-GW-Edition Artemis!Trojan
Emsisoft Trojan.Agent (A)
Jiangmin Trojan.Donut.hx
Avira TR/Redcap.llrgw
MAX malware (ai score=100)
Gridinsoft Trojan.Win64.Agent.vb
Microsoft Trojan:Win32/Sabsik.FL.B!ml
GData Trojan.GenericKDZ.78431
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.R444169
McAfee Artemis!342EF4F29411
VBA32 Trojan.Inject
Malwarebytes Trojan.Agent.Generic
TrendMicro-HouseCall TROJ_GEN.R002C0WJ821
Yandex Trojan.Donut!KcD8mNL7U4c
Ikarus Trojan.Win32.Agent_agen
Fortinet W64/AgentAGen.AP!tr
Webroot W32.Trojan.Gen
AVG Win64:TrojanX-gen [Trj]