popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

FirstZ.exe

PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Jan. 24, 2024, 8:04 a.m. Jan. 24, 2024, 8:13 a.m.
Size 2.5MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 ffada57f998ed6a72b6ba2f072d2690a
SHA256 677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
CRC32 75A335F8
ssdeep 49152:UjBP3/qGrdNJ8VZFhY++Yk/4aLq8wH7mm6qJsSRRjyl:aBPvfrAZF28k/RLbwH7mvcRRjy
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)

Name Response Post-Analysis Lookup
zeph-eu2.nanopool.org
A 51.195.43.17
A 51.15.61.114
A 51.210.150.92
A 51.195.138.197
A 163.172.171.111
A 51.15.89.13
A 51.68.137.186
51.15.89.13
pastebin.com
A 172.67.34.170
A 104.20.67.143
A 104.20.68.143
104.20.67.143
IP Address Status Action
104.20.68.143 Active Moloch
164.124.101.2 Active Moloch
51.210.150.92 Active Moloch
51.68.137.186 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49164 -> 104.20.68.143:443 906200068 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) undefined
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2033268 ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) Potential Corporate Privacy Violation

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.101:49164
104.20.68.143:443 		None None None
TLS 1.3
192.168.56.101:49163
51.210.150.92:10943 		None None None
TLS 1.3
192.168.56.101:49165
51.68.137.186:10943 		None None None

section .00cfg