Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 3, 2024, 7:12 a.m.	April 3, 2024, 7:17 a.m.

Size	5.3MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`fcce0a9aa496c81dceda922d4423f2ba`
SHA256	`768ea7c6f1285d70a63d32bbd3f3a0e9c530fdbd1c16e10672c42485e35bc077`
CRC32	`CC93EC42`
ssdeep	`98304:XX2a7J2JcPj1735LBLQwovLvpMyH3CzFRmr4BgDF7L:XX2a70JWL5d0wo1MyXC3vOZ`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

4.exe "C:\Users\test22\AppData\Local\Temp\4.exe"
2552

Name	Response	Post-Analysis Lookup
xmr.2miners.com	A 162.19.139.184	162.19.139.184
rentry.co	A 172.67.145.129 A 104.21.95.148	172.67.145.129

IP Address	Status	Action
104.21.95.148	Active	Moloch
162.19.139.184	Active	Moloch
164.124.101.2	Active	Moloch
91.92.242.200	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2040353	ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)	Crypto Currency Mining Activity Detected
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2044864	ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)	Misc activity
TCP 91.92.242.200:3333 -> 192.168.56.101:49164	2400006	ET DROP Spamhaus DROP Listed Traffic Inbound group 7	Misc Attack
TCP 192.168.56.101:49163 -> 104.21.95.148:443	2044865	ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)	Misc activity
TCP 192.168.56.101:49163 -> 104.21.95.148:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
UNDETERMINED 192.168.56.101:49162 162.19.139.184:2222	None	None	None
TLS 1.3 192.168.56.101:49163 104.21.95.148:443	None	None	None
TLS 1.3 192.168.56.101:49164 91.92.242.200:3333	None	None	None

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.00cfg

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 3, 2024, 7:05 a.m.	process_identifier: 2552 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

91.92.242.200

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Miner.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	Trojan-FWHP!FCCE0A9AA496
Cylance	unsafe
VIPRE	Application.Generic.3649698
Sangfor	CoinMiner.Win64.Kryptik.Vk0t
K7AntiVirus	Trojan ( 005af85d1 )
BitDefender	Application.Generic.3649698
K7GW	Trojan ( 005af85d1 )
Arcabit	Application.Generic.D37B0A2
VirIT	Trojan.Win64.Agent.GNH
Symantec	Trojan Horse
ESET-NOD32	a variant of Win64/Kryptik.EDF
APEX	Malicious
McAfee	Trojan-FWHP!FCCE0A9AA496
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Trojan.Genkryptik-10016533-0
Kaspersky	HEUR:Trojan.Win32.Miner.pef
Alibaba	Trojan:Win64/CoinMiner.ad3fc43d
MicroWorld-eScan	Application.Generic.3649698
Rising	Trojan.Staser!8.7FD (TFE:5:g2ZCviiLSKR)
Emsisoft	Application.Generic.3649698 (B)
F-Secure	Trojan.TR/AD.Nekark.jumdx
TrendMicro	TROJ_GEN.R002C0DD124
FireEye	Generic.mg.fcce0a9aa496c81d
Sophos	Mal/Generic-S
Ikarus	Trojan.Win64.Krypt
Google	Detected
Avira	TR/AD.Nekark.jumdx
MAX	malware (ai score=70)
Antiy-AVL	Trojan/Win64.GenKryptik
Kingsoft	Win32.Trojan.Miner.pef
Gridinsoft	Trojan.Win64.Kryptik.sa
Microsoft	Trojan:Win64/CoinMiner!pz
ViRobot	Trojan.Win.Z.Genkryptik.5586216
ZoneAlarm	HEUR:Trojan.Win32.Miner.pef
GData	Win64.Trojan.Agent.9BRFQS
Varist	W64/Kryptik.LEG.gen!Eldorado
AhnLab-V3	Dropper/Win.DropperX-gen.R622355
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt.Generic
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0DD124
Tencent	Malware.Win32.Gencirc.140757e9
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	W64/GenKryptik.GQCB!tr
AVG	Win64:Evo-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)

4.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All