Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 19, 2024, 2:17 p.m.	Aug. 19, 2024, 3:20 p.m.

Size	329.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`2b7bff01c4165d267d31d52c15b2d0ec`
SHA256	`bf9a426fff27204f4681aeb9038fd85c356cd95ed6aa4ab8c1d1fe814496f0de`
CRC32	`819CFA0A`
ssdeep	`6144:f68oipnnK9jqXEX52Ums+Tbxzbx9SmIqQyPodMUf8Dkzel6R8zHe1I0:ZfnnK9zABs+TbFx9SXOPCf8DkqAR8zH6`
Yara	AutoIt - autoit PE_Header_Zero - PE File Signature CoinMiner_IN - CoinMiner IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
down5.huorong.cn	CNAME down5.huorong.cn.w.kunlunca.com A 180.163.146.100	180.163.146.100

IP Address	Status	Action
164.124.101.2	Active	Moloch
180.163.146.100	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 180.163.146.100:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 180.163.146.100:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G2	CN=down5.huorong.cn	fe:bc:d5:f7:fd:d6:da:9b:43:72:0d:b9:64:5d:96:4b:aa:3d:b7:16

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 19, 2024, 2:17 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:17 p.m.			0	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 19, 2024, 2:17 p.m.		1	1	0

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Time & API	Arguments	Status	Return
Process32NextW Aug. 19, 2024, 2:17 p.m.	snapshot_handle: 0x00000180 process_name: wsqmcons.exe process_identifier: 804	1	1
Process32NextW Aug. 19, 2024, 2:17 p.m.	snapshot_handle: 0x00000180 process_name: sdclt.exe process_identifier: 1540	1	1
Process32NextW Aug. 19, 2024, 2:17 p.m.	snapshot_handle: 0x00000180 process_name: SearchProtocolHost.exe process_identifier: 1504	1	1
Process32NextW Aug. 19, 2024, 2:17 p.m.	snapshot_handle: 0x00000180 process_name: cmd.exe process_identifier: 1712	1	1
Process32NextW Aug. 19, 2024, 2:17 p.m.	snapshot_handle: 0x00000180 process_name: huorong.exe process_identifier: 1488	1	1

section

{u'size_of_data': u'0x0004aa00', u'virtual_address': u'0x0007d000', u'entropy': 7.940965856094214, u'name': u'UPX1', u'virtual_size': u'0x0004b000'}

entropy

7.94096585609

description

A section with a high entropy has been found

entropy

0.911450381679

description

Overall entropy of this PE file is high

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Nymeria.4!c
Elastic	malicious (moderate confidence)
MicroWorld-eScan	AIT:Trojan.Nymeria.4279
Skyhigh	BehavesLike.Win32.Yahlover.fc
ALYac	AIT:Trojan.Nymeria.4279
Cylance	Unsafe
VIPRE	AIT:Trojan.Nymeria.4279
Sangfor	Trojan.Win32.Packed.Velg
K7AntiVirus	Trojan ( 0056316d1 )
BitDefender	AIT:Trojan.Nymeria.4279
K7GW	Trojan ( 0056316d1 )
Cybereason	malicious.1c4165
Arcabit	AIT:Trojan.Nymeria.D10B7 [many]
VirIT	Trojan.Win32.Generic.XTX
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/Packed.Autoit.NBT suspicious
APEX	Malicious
McAfee	Artemis!2B7BFF01C416
Avast	Win32:Evo-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.Script.Agent.gen
Alibaba	Packed:Win32/YahLover.63171457
Emsisoft	AIT:Trojan.Nymeria.4279 (B)
F-Secure	Malware.W97M/Dldr.Agent.bdgsh
DrWeb	Trojan.Siggen5.59949
TrendMicro	TROJ_GEN.R002C0WET24
McAfeeD	ti!BF9A426FFF27
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.2b7bff01c4165d26
Sophos	Mal/Generic-S
Ikarus	PUA.Autoit
Webroot	W32.Trojan.Gen
Google	Detected
Avira	W97M/Dldr.Agent.bdgsh
MAX	malware (ai score=86)
Antiy-AVL	Trojan[Packed]/Win32.Autoit
Gridinsoft	Trojan.Win32.CoinMiner.dd!s2
Xcitium	TrojWare.Win32.Hider.REXR@5364l6
Microsoft	Trojan:Win32/Ymacco.AABF
ViRobot	Trojan.Win32.A.Agent.690283[UPX]
ZoneAlarm	HEUR:Trojan.Script.Agent.gen
GData	Win32.Trojan.PSE.R2WKDE
Varist	W32/Trojan.IJBN-1595
AhnLab-V3	Malware/Win32.Generic.C4292734
DeepInstinct	MALICIOUS
VBA32	IMWorm.Sohanad
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0WET24

huorong.exe