Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 3, 2022, 1:49 p.m.	Feb. 3, 2022, 2:14 p.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`472afcfc669c79a606a8e95732492944`
SHA256	`fbca0b953516798fdf230b0369f5d19b7111f483aa3895177875750428628969`
CRC32	`23689664`
ssdeep	`49152:eGFn5/3ytf4gvZl1kBrRVdGQDtuhOh47FsACIyM:3FnItfLvZl+BrRVoQkFs3IX`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.243.32.26	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 3, 2022, 1:49 p.m.		1	1	0

section

.ndata

file	C:\Users\test22\AppData\Local\Temp\nsaE2CF.tmp\nsProcess.dll
file	C:\Users\test22\AppData\Local\Temp\nsaE2CF.tmp\nsExec.dll
file	C:\Windows\Client.exe

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Feb. 3, 2022, 1:49 p.m.	service_start_name: start_type: 2 password: display_name: MiningeService filepath: C:\Windows\Client.exe service_name: MiningeService filepath_r: C:\Windows\Client.exe desired_access: 983551 service_handle: 0x008fb888 error_control: 1 service_type: 16 service_manager_handle: 0x008fb928	1	9418888	0

cmdline	C:\Windows\system32\cmd.exe /C sc description MiningeService ServiceManagerForMiner
cmdline	C:\Windows\system32\cmd.exe /C sc failure MiningeService reset= 3600 actions= restart/60000/restart/60000/restart/60000
cmdline	C:\Windows\system32\cmd.exe /C Sc delete MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net stop MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net start MiningeService
cmdline	C:\Windows\system32\cmd.exe /C Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService

file	C:\Users\test22\AppData\Local\Temp\nsaE2CF.tmp\nsExec.dll
file	C:\Users\test22\AppData\Local\Temp\nsaE2CF.tmp\nsProcess.dll

cmdline	net start MiningeService
cmdline	C:\Windows\system32\cmd.exe /C sc description MiningeService ServiceManagerForMiner
cmdline	C:\Windows\system32\cmd.exe /C sc failure MiningeService reset= 3600 actions= restart/60000/restart/60000/restart/60000
cmdline	Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService
cmdline	net stop MiningeService
cmdline	sc description MiningeService ServiceManagerForMiner
cmdline	C:\Windows\system32\cmd.exe /C Sc delete MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net stop MiningeService
cmdline	C:\Windows\system32\cmd.exe /C net start MiningeService
cmdline	sc failure MiningeService reset= 3600 actions= restart/60000/restart/60000/restart/60000
cmdline	Sc delete MiningeService
cmdline	C:\Windows\system32\cmd.exe /C Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService

host

91.243.32.26

service_name

MiningeService

service_path

C:\Windows\Client.exe

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.325941
FireEye	Generic.mg.472afcfc669c79a6
ALYac	Gen:Variant.Zusy.325941
Cylance	Unsafe
K7AntiVirus	Trojan-Downloader ( 0050e5cf1 )
K7GW	Trojan-Downloader ( 0050e5cf1 )
CrowdStrike	win/malicious_confidence_60% (D)
Cyren	W32/Delf.PR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Delf.BBD
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Agentb.gen
BitDefender	Gen:Variant.Zusy.325941
SUPERAntiSpyware	Trojan.Agent/Gen-Zusy
Avast	Win32:TrojanX-gen [Trj]
Emsisoft	Gen:Variant.Zusy.325941 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	HEUR/AGEN.1145140
Microsoft	Trojan:Script/Phonzy.C!ml
Gridinsoft	Malware.Win32.Gen.cc!s5
GData	Gen:Variant.Zusy.325941
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Fuery.R202739
McAfee	Artemis!472AFCFC669C
MAX	malware (ai score=83)
Malwarebytes	RiskWare.BitCoinMiner
Rising	Trojan.CoinMiner/NSIS!1.D88C (CLASSIC)
BitDefenderTheta	Gen:NN.ZelphiF.34182.@V0@aS0r3gii
AVG	Win32:TrojanX-gen [Trj]

setup.exe