Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 11, 2022, 3:31 p.m.	Dec. 11, 2022, 3:33 p.m.

Size	4.6MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`3ceae9e0773b63662aa06f792a016c47`
SHA256	`baeff180565b7934335f535fbd4e42e5d8e0aec0f0b01284b7db418592ddd37e`
CRC32	`19301E2E`
ssdeep	`98304:aFJtUztP0qDrLSmT8F3tBpLTkw/AEnFUSFcBVPFgcwen:aFaPExtBpHkw/ASXFcBVHwen`
Yara	OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file

notepads.exe "C:\Users\test22\AppData\Local\Temp\notepads.exe"
2672

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.155.37.228	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49181 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49164 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49166 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49181 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49161 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49166 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49164 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49173 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49168 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49173 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49182 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49167 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49168 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49182 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49167 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49176 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49171 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49176 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49170 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49171 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49170 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49169 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49177 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49172 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49169 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49177 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49174 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49172 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49174 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49175 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49175 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49179 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49179 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49178 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49178 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49180 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49180 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.101:49183 -> 45.155.37.228:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49183 -> 45.155.37.228:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 11, 2022, 3:31 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2022, 3:31 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	_RANDOMX
section	_SHA3_25
section	_TEXT_CN
section	_RDATA

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 11, 2022, 3:31 p.m.	process_identifier: 2672 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 11, 2022, 3:31 p.m.	flags: 14 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

45.155.37.228

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Dec. 11, 2022, 3:31 p.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Elastic	malicious (high confidence)
ClamAV	Win.Trojan.Coinminer-9866537-0
ALYac	Gen:Variant.Application.Miner.24
Malwarebytes	BitcoinMiner.Trojan.Miner.DDS
Zillya	Trojan.Miner.Win32.14577
Sangfor	Trojan.Win32.Save.a
BitDefender	Gen:Variant.Application.Miner.24
Cybereason	malicious.0773b6
Arcabit	Trojan.Application.Miner.24
Cyren	W64/Coinminer.BN.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/CoinMiner.PO potentially unwanted
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Miner.gen
Alibaba	Trojan:Win64/Miners.d0f47b22
MicroWorld-eScan	Gen:Variant.Application.Miner.24
Rising	Trojan.Miner!8.EA1 (TFE:5:et5CjEw2LFL)
Ad-Aware	Gen:Variant.Application.Miner.24
Sophos	XMRig Miner (PUA)
F-Secure	Heuristic.HEUR/AGEN.1213073
VIPRE	Gen:Variant.Application.Miner.24
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.3ceae9e0773b6366
Emsisoft	Gen:Variant.Application.Miner.24 (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Miner.qpa
Avira	HEUR/AGEN.1213073
MAX	malware (ai score=79)
Antiy-AVL	Trojan/Win32.Miner
Gridinsoft	Risk.Win64.CoinMiner.sd!i
Microsoft	Trojan:Win64/DisguisedXMRigMiner
ZoneAlarm	not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen
GData	Win64.Application.Coinminer.CP
Google	Detected
AhnLab-V3	Win-Trojan/Miner3.Exp
Acronis	suspicious
McAfee	GenericRXAA-AA!3CEAE9E0773B
Cylance	Unsafe
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DL422
Tencent	RiskTool.Win64.BitMiner.ha
Ikarus	PUA.CoinMiner
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Riskware/CoinMiner
AVG	Win64:Evo-gen [Trj]
Avast	Win64:Evo-gen [Trj]
CrowdStrike	win/grayware_confidence_60% (D)

notepads.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All