Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 10, 2023, 9:07 a.m.	April 10, 2023, 9:09 a.m.

Size	9.9MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`6fa2a8de3fc30b9c80d12c2ac4ad2e3f`
SHA256	`a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd`
CRC32	`E6139117`
ssdeep	`196608:RHkauZatU8wbxg2e/ZPIq3QkZRgj2wpAY7E6XZufNrM1W:RHcsw22eRI2QkjgjLlErH`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

Updater.exe "C:\Users\test22\AppData\Local\Temp\Updater.exe"
1708

Name	Response	Post-Analysis Lookup
pastebin.com	A 172.67.34.170 A 104.20.67.143 A 104.20.68.143	104.20.68.143
xmr.2miners.com	A 162.19.139.184	162.19.139.184

IP Address	Status	Action
162.19.139.184	Active	Moloch
164.124.101.2	Active	Moloch
172.67.34.170	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2040353	ET INFO Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)	Crypto Currency Mining Activity Detected
TCP 192.168.56.103:49164 -> 172.67.34.170:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49164 172.67.34.170:443	None	None	None
TLS 1.3 192.168.56.103:49163 162.19.139.184:12222	None	None	None
TLS 1.3 192.168.56.103:49165 162.19.139.184:12222	None	None	None

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x009a2400', u'virtual_address': u'0x00020000', u'entropy': 7.61805324893538, u'name': u'.data', u'virtual_size': u'0x009a2220'}

entropy

7.61805324894

description

A section with a high entropy has been found

entropy

0.977506936187

description

Overall entropy of this PE file is high

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Lionic	Trojan.Win32.Injector.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Agent
McAfee	Artemis!6FA2A8DE3FC3
Malwarebytes	Trojan.Crypt
Sangfor	Trojan.Win64.Kryptik.Vrp3
K7AntiVirus	Trojan ( 005a1ef11 )
Alibaba	Trojan:Win64/GenKryptik.42e8a052
K7GW	Trojan ( 005a1ef11 )
Arcabit	Application.Generic.D341B80
VirIT	Trojan.Win64.Genus.PO
Cyren	W64/ABRisk.EBYR-0635
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/GenKryptik.GIIA
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Agent.xavnes
BitDefender	Application.Generic.3414912
NANO-Antivirus	Trojan.Win64.Hosts.jvisvl
MicroWorld-eScan	Application.Generic.3414912
Avast	Win64:Evo-gen [Trj]
Tencent	Win32.Trojan.FalseSign.Eflw
Emsisoft	Application.Generic.3414912 (B)
F-Secure	Trojan.TR/AD.Nekark.wjaad
DrWeb	Trojan.Hosts.51203
VIPRE	Application.Generic.3414912
TrendMicro	TROJ_GEN.R002C0DD623
McAfee-GW-Edition	Artemis!Trojan
FireEye	Application.Generic.3414912
Sophos	Generic Reputation PUA (PUA)
Webroot	W32.Trojan.Gen
Avira	TR/AD.Nekark.wjaad
Antiy-AVL	Trojan/Win64.GenKryptik
Gridinsoft	Trojan.Win64.Gen.bot
Xcitium	Malware@#38zvo226ygp71
Microsoft	Trojan:Win64/Xmrig!MTB
ZoneAlarm	Trojan.Win32.Agent.xavnes
GData	Application.Generic.3414912
Google	Detected
VBA32	Trojan.Win64.GenKryptik
ALYac	Application.Generic.3414912
MAX	malware (ai score=79)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0DD623
Rising	Trojan.Kryptik!8.8 (TFE:5:tSjl4DNY5BP)
Ikarus	Trojan.Win64.Agent
MaxSecure	Trojan.Malware.204949125.susgen
Fortinet	W64/GenKryptik.GIIA!tr
AVG	Win64:Evo-gen [Trj]

Updater.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All