Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 10, 2023, 9:14 a.m.	Sept. 10, 2023, 9:20 a.m.

Size	10.1MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`73e4f82277d7cb23b3a030e140c50fb2`
SHA256	`ba15633c2ad9ad3ce86df9c28ff4273fab06d771eeb10743eb3396449a0262a0`
CRC32	`018D9E42`
ssdeep	`98304:hL65Ij71XKw6poNpWu/CHrCThPiUf1Qe2KaiOS7vQXZvY/k2l213ncb/VUrZWUUK:h57FD/CeTN1OSUtGPo13cqrZWbsj`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

verify.exe "C:\Users\test22\AppData\Local\Temp\verify.exe"
2556

Name	Response	Post-Analysis Lookup
gulf.moneroocean.stream	CNAME monerooceans.stream A 54.250.156.221	54.250.156.221
ppanel.pornsworld.xyz	A 172.67.185.119 A 104.21.68.25	172.67.185.119
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	104.20.68.143

IP Address	Status	Action
104.20.67.143	Active	Moloch
164.124.101.2	Active	Moloch
172.67.185.119	Active	Moloch
54.250.156.221	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 104.20.67.143:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 192.168.56.101:49167 -> 172.67.185.119:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 192.168.56.101:49166 -> 172.67.185.119:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49164 104.20.67.143:443	None	None	None
TLS 1.3 192.168.56.101:49165 54.250.156.221:20128	None	None	None
TLS 1.3 192.168.56.101:49167 172.67.185.119:443	None	None	None
TLS 1.3 192.168.56.101:49163 54.250.156.221:20128	None	None	None
TLS 1.3 192.168.56.101:49166 172.67.185.119:443	None	None	None

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x009a2200', u'virtual_address': u'0x0001b000', u'entropy': 7.650154342281097, u'name': u'.data', u'virtual_size': u'0x009a20a0'}

entropy

7.65015434228

description

A section with a high entropy has been found

entropy

0.952171814672

description

Overall entropy of this PE file is high

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.Common.D8AF5665
Lionic	Trojan.Win32.Miner.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Molotov.IM.39.100
CAT-QuickHeal	Trojan.Win64
McAfee	Artemis!73E4F82277D7
Cylance	unsafe
Sangfor	Trojan.Win64.Kryptik.Vs3l
K7AntiVirus	Trojan ( 005a508c1 )
Alibaba	Trojan:Win64/Miner.b3dde8eb
K7GW	Trojan ( 005a508c1 )
Cybereason	malicious.e0dd41
Arcabit	Trojan.Molotov.IM.39.100
Cyren	W64/Injector.BMR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Kryptik.DZL
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.Win64.Miner.pef
BitDefender	Gen:Heur.Molotov.IM.39.100
Avast	Win64:CrypterX-gen [Trj]
Tencent	Win32.Trojan.FalseSign.Nsmw
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Kryptik.zhbwa
DrWeb	Trojan.Siggen21.27111
VIPRE	Gen:Heur.Molotov.IM.39.100
TrendMicro	Trojan.Win64.SMOKELOADER.YXDIGZ
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Heur.Molotov.IM.39.100
Emsisoft	Gen:Heur.Molotov.IM.39.100 (B)
Webroot	W32.Trojan.Win64.Miner
Avira	TR/Kryptik.zhbwa
Antiy-AVL	Trojan/Win64.GenKryptik
Gridinsoft	Ransom.Win64.Sabsik.sa
Microsoft	Trojan:Win64/XMRig.CCAN!MTB
ZoneAlarm	HEUR:Trojan.Win64.Miner.pef
GData	Gen:Heur.Molotov.IM.39.100
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R571995
ALYac	Gen:Heur.Molotov.IM.39.100
MAX	malware (ai score=89)
Malwarebytes	Crypt.Trojan.MSIL.DDS
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win64.SMOKELOADER.YXDIGZ
Rising	Trojan.DisguisedXMRigMiner!8.12EF7 (TFE:5:YhzrPCllRHI)
Ikarus	Trojan.Win64.Krypt
Fortinet	W64/GenKryptik.GIIA!tr
AVG	Win64:CrypterX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_60% (W)

verify.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All