popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

miner.exe

PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 18, 2024, 7:34 a.m. June 18, 2024, 7:45 a.m.
Size 5.3MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 dd5fdaf7d0f6c0cbb695695ed546f54b
SHA256 74895cc8a75a906c088dcb303aadb2967fcd9469eb70a7979351421a33e439f3
CRC32 85970D81
ssdeep 98304:dC2dZ+7m1A8ph4kSrfZuhFRxohUwPz1IbTlDPuXr3oFsI8z+UKBC042/OqKODcNR:dC2u7mS8vxBHhAz2bTlDPuX7oFpY0Jff
Yara
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
randomxmonero.auto.nicehash.com
A 34.149.22.228
34.149.22.228
IP Address Status Action
164.124.101.2 Active Moloch
34.149.22.228 Active Moloch
94.156.65.121 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 94.156.65.121:80 -> 192.168.56.101:49164 2400014 ET DROP Spamhaus DROP Listed Traffic Inbound group 15 Misc Attack
TCP 192.168.56.101:49164 -> 94.156.65.121:80 2051004 ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request Crypto Currency Mining Activity Detected
TCP 192.168.56.101:49165 -> 94.156.65.121:80 2051004 ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request Crypto Currency Mining Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.101:49163
34.149.22.228:443 		None None None

section .00cfg
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://94.156.65.121/ACDG57T68GGYB/api/endpoint.php
request POST http://94.156.65.121/ACDG57T68GGYB/api/endpoint.php
request POST http://94.156.65.121/ACDG57T68GGYB/api/endpoint.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000004f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0
host 94.156.65.121