Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 1, 2024, 10:59 a.m.	July 1, 2024, 11:02 a.m.

Size	1.6MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`72762b7ac7c6dfdc7b1c3b3a5171103a`
SHA256	`ecc5a64d97d4adb41ed9332e4c0f5dc7dc02a64a77817438d27fc31c69f7c1d3`
CRC32	`CE18DC1E`
ssdeep	`49152:TgCwUI2zMCsThgKx7epXo6Ekk6Jy63g9iugMN51fP:Tg9msFgs6u6rk2FgYugMr`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

64.jpg.exe "C:\Users\test22\AppData\Local\Temp\64.jpg.exe"
2556

Name	Response	Post-Analysis Lookup
xmr.330com.com	A 117.52.82.171 A 211.108.74.247 A 62.48.34.99	211.108.74.247

IP Address	Status	Action
164.124.101.2	Active	Moloch
211.108.74.247	Active	Moloch
62.48.34.99	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49162 62.48.34.99:5555	None	None	None
TLS 1.3 192.168.56.101:49165 211.108.74.247:5555	None	None	None

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 1, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 1, 2024, 10:59 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 1, 2024, 10:59 a.m.	process_identifier: 2556 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11 a.m.	process_identifier: 2556 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 1, 2024, 11:01 a.m.	process_identifier: 2556 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000021000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00191c00', u'virtual_address': u'0x0053f000', u'entropy': 7.937914087606463, u'name': u'UPX1', u'virtual_size': u'0x00192000'}

entropy

7.93791408761

description

A section with a high entropy has been found

entropy

0.99875699192

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 1, 2024, 10:59 a.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.TyphonWinekD.Trojan
Lionic	Riskware.Win32.Dacic.1!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Trojan.tc
ALYac	Misc.Riskware.BitCoinMiner
Cylance	Unsafe
VIPRE	Dump:Generic.Dacic.1.BitCoinMiner.A.4DC4A462
Sangfor	Trojan.Win32.Save.a
BitDefender	Dump:Generic.Dacic.1.BitCoinMiner.A.4DC4A462
Cybereason	malicious.ac7c6d
Arcabit	Dump:Generic.Dacic.1.BitCoinMiner.A.4DC4A462
Symantec	PUA.Gen.2
ESET-NOD32	Win64/CoinMiner.AKQ
APEX	Malicious
McAfee	Artemis!72762B7AC7C6
Avast	Win64:Malware-gen
Kaspersky	not-a-virus:RiskTool.Win32.BitCoinMiner.onmh
Alibaba	RiskWare:Win32/BitCoinMiner.9195d25d
NANO-Antivirus	Riskware.Win64.BitCoinMiner.jtfznt
SUPERAntiSpyware	Trojan.Agent/Gen-Falcomp[Cont]
MicroWorld-eScan	Dump:Generic.Dacic.1.BitCoinMiner.A.4DC4A462
Rising	HackTool.CoinMiner!8.F154 (TFE:5:mG1beY8gyNI)
Emsisoft	Dump:Generic.Dacic.1.BitCoinMiner.A.4DC4A462 (B)
F-Secure	PotentialRisk.PUA/CoinMiner.Gen
DrWeb	Trojan.Siggen26.13253
Zillya	Tool.BitCoinMiner.Win32.41903
TrendMicro	TROJ_GEN.R002C0DJO22
McAfeeD	ti!ECC5A64D97D4
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.72762b7ac7c6dfdc
Sophos	XMRig Miner (PUA)
Ikarus	Trojan.Win64.CoinMiner
Jiangmin	RiskTool.BitCoinMiner.atob
Webroot	W32.Malware.Gen
Google	Detected
Avira	PUA/CoinMiner.Gen
Antiy-AVL	GrayWare/Win64.CoinMiner
Xcitium	ApplicUnwnt@#1986kfx5hwc5p
Microsoft	Trojan:Win64/DisguisedXMRigMiner
ZoneAlarm	not-a-virus:RiskTool.Win32.BitCoinMiner.onmh
GData	Dump:Generic.Dacic.1.BitCoinMiner.A.4DC4A462
AhnLab-V3	Trojan/Win.DisguisedXMRigMiner.C5307805
DeepInstinct	MALICIOUS
VBA32	Trojan.Miner
Malwarebytes	BitcoinMiner.Trojan.Miner.DDS
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DJO22
Tencent	Malware.Win32.Gencirc.115d5e37
MAX	malware (ai score=89)

64.jpg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All