Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 20, 2022, 6:19 p.m.	April 20, 2022, 6:28 p.m.

Size	9.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5	`1d4810932ddefc16e8e43ce05736ebee`
SHA256	`c56afbc1f38f8ed551fc4dc24f70117cc70f357413990e19d6218dd53442dd63`
CRC32	`2D7F53AF`
ssdeep	`196608:bIAKDUQeuqnccRVwZ91SbQFCWtLlLUsxrCAYFIvGA7jV9F:kDURpVwZaQFCWFlLUsxrClFjQ9F`
PDB Path	d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

miner.exe "C:\Users\test22\AppData\Local\Temp\miner.exe"
2820

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 20, 2022, 6:19 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2022, 6:19 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2022, 6:19 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ad4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2022, 6:19 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2022, 6:19 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746e1000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (22 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x0005154c

size

0x00000bb6

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x00052a7c

size

0x000008a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x00052a7c

size

0x000008a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x00052a7c

size

0x000008a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x00052a7c

size

0x000008a8

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000539b4

size

0x000001ce

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000539b4

size

0x000001ce

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000539b4

size

0x000001ce

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000539b4

size

0x000001ce

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000539b4

size

0x000001ce

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000539b4

size

0x000001ce

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054230

size

0x0000004a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054230

size

0x0000004a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054230

size

0x0000004a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054230

size

0x0000004a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054230

size

0x0000004a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054230

size

0x0000004a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054230

size

0x0000004a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054230

size

0x0000004a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00054230

size

0x0000004a

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x0005427c

size

0x0000003e

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_TRADITIONAL

offset

0x000542bc

size

0x00000640

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\winstart\xmrig-cuda.dll
file	C:\Users\test22\AppData\Local\Temp\winstart\nvrtc-builtins64_101.dll
file	C:\Users\test22\AppData\Local\Temp\winstart\nvrtc64_101_0.dll
file	C:\Users\test22\AppData\Local\Temp\winstart\myminer.exe

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Lionic	Trojan.Win32.Llac.tr9v
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.42349560
FireEye	Generic.mg.1d4810932ddefc16
CAT-QuickHeal	Script.Trojan.Agent.40688
McAfee	Artemis!1D4810932DDE
Cylance	Unsafe
Sangfor	Riskware.Win32.Agent.ky
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Coinminer.2cc
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.32ddef
Cyren	W64/Coinminer.EC
Symantec	Trojan.Gen.MBT
ESET-NOD32	multiple detections
TrendMicro-HouseCall	Coinminer.Win32.MALXMR.TIAOODFG
Paloalto	generic.ml
Kaspersky	Trojan-Dropper.RAR.Agent.bc
BitDefender	Trojan.GenericKD.42349560
NANO-Antivirus	Riskware.Win64.BtcMine.gkgmjq
Avast	Win32:Miner-HK [Trj]
Tencent	Win32.Trojan-dropper.Agent.Dzki
Ad-Aware	Trojan.GenericKD.42349560
Emsisoft	Trojan.GenericKD.42349560 (B)
Comodo	Malware@#3msdpzbn7ulkn
F-Secure	Heuristic.HEUR/AGEN.1213073
DrWeb	Tool.BtcMine.2226
Ikarus	PUA.CoinMiner
TrendMicro	Coinminer.Win32.MALXMR.TIAOODFG
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
Sophos	Generic Reputation PUA (PUA)
APEX	Malicious
Jiangmin	Trojan.Generic.esqhh
Webroot	W32.Adware.Gen
Antiy-AVL	Trojan/Generic.ASMalwS.2D03148
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win64/CoinMiner
Gridinsoft	Trojan.Win32.CoinMiner.vb
ZoneAlarm	Trojan-Dropper.RAR.Agent.bc
GData	Win64.Application.Coinminer.CO
AhnLab-V3	Dropper/Win32.BitCoinMiner.C3606389
ALYac	Misc.Riskware.BitCoinMiner
MAX	malware (ai score=100)
Malwarebytes	Trojan.BitCoinMiner
Rising	HackTool.MinerCfg/JSON!1.CABA (CLASSIC:YzY0OuaRwu11xB+z)
Yandex	Trojan.GenAsa!htgRXaI3boM
SentinelOne	Static AI - Malicious SFX
Fortinet	Riskware/CoinMiner
AVG	Win32:Miner-HK [Trj]
Panda	Trj/CI.A

miner.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All