popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Updater.exe

Generic Malware Malicious Library VMProtect PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 23, 2024, 9:47 a.m. Aug. 23, 2024, 9:49 a.m.
Size 9.3MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 dd3aa70adbe7894d6705ddb398155628
SHA256 6b32ec90229466753e03ba4d9eb0c4eb225b8ca2fc5beea04f1ca4a887907c6b
CRC32 13C3F669
ssdeep 196608:RNPW2PdkNsUE5pWMF0PJqQFcVYjV7VHSrTEitDuTw+HCwL:Lu5NGwAQx3SskDu8
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • VMProtect_Zero - VMProtect packed file
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
xmr-eu1.nanopool.org
A 51.15.58.224
A 141.94.23.83
A 146.59.154.106
A 212.47.253.124
A 51.15.193.130
A 163.172.154.142
A 54.37.232.103
A 54.37.137.114
A 51.15.65.182
A 162.19.224.121
A 51.89.23.91
162.19.224.121
pastebin.com
A 104.20.4.235
A 172.67.19.24
A 104.20.3.235
104.20.4.235
IP Address Status Action
104.20.4.235 Active Moloch
163.172.154.142 Active Moloch
164.124.101.2 Active Moloch
51.15.193.130 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49164 -> 104.20.4.235:443 906200068 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) undefined
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2033268 ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) Potential Corporate Privacy Violation

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.101:49164
104.20.4.235:443 		None None None
TLS 1.3
192.168.56.101:49163
163.172.154.142:10343 		None None None
TLS 1.3
192.168.56.101:49165
51.15.193.130:10343 		None None None

section .00cfg
section .vmp0
section .vmp1
section {u'size_of_data': u'0x0092f400', u'virtual_address': u'0x00870000', u'entropy': 7.965108469031978, u'name': u'.vmp1', u'virtual_size': u'0x0092f328'} entropy 7.96510846903 description A section with a high entropy has been found
entropy 0.99282170379 description Overall entropy of this PE file is high
section .vmp0 description Section name indicates VMProtect
section .vmp1 description Section name indicates VMProtect
Bkav W64.AIDetectMalware
Lionic Trojan.Win32.Reflo.4!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.Agent
Skyhigh BehavesLike.Win64.Generic.tc
ALYac Trojan.GenericKD.73779230
Cylance Unsafe
VIPRE Trojan.GenericKD.73779230
Sangfor Trojan.Win32.Reflo.Vwy5
K7AntiVirus Trojan ( 0058dd1c1 )
BitDefender Trojan.GenericKD.73779230
K7GW Trojan ( 0058dd1c1 )
Cybereason malicious.adbe78
Arcabit Trojan.Generic.D465C81E
VirIT Trojan.Win64.Agent.HCV
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win32/Packed.VMProtect.ACR
APEX Malicious
McAfee Artemis!DD3AA70ADBE7
Avast Win64:Evo-gen [Trj]
Kaspersky Trojan.Win32.Agent.xbrzux
Alibaba Trojan:Win64/Reflo.52972a68
MicroWorld-eScan Trojan.GenericKD.73779230
Rising Trojan.Agent!8.B1E (TFE:5:727qAG4EkQE)
Emsisoft Trojan.GenericKD.73779230 (B)
F-Secure Heuristic.HEUR/AGEN.1374773
DrWeb Trojan.Siggen29.12565
Zillya Trojan.VMProtect.Win32.96647
TrendMicro TROJ_GEN.R002C0XGT24
McAfeeD Real Protect-LS!DD3AA70ADBE7
Trapmine suspicious.low.ml.score
FireEye Generic.mg.dd3aa70adbe7894d
Sophos Mal/Generic-S
Ikarus Trojan.Win32.VMProtect
Webroot W32.Trojan.Gen
Google Detected
Avira HEUR/AGEN.1374773
MAX malware (ai score=88)
Antiy-AVL GrayWare/Win32.Wacapew
Kingsoft Win32.Trojan.Agent.xbrzux
Gridinsoft Trojan.Win64.Packed.sa
Xcitium Malware@#2g1whylycqm7z
Microsoft Trojan:Win64/Reflo.HNS!MTB
ViRobot Trojan.Win.Z.Tedy.9701376
ZoneAlarm Trojan.Win32.Agent.xbrzux
GData Trojan.GenericKD.73779230
AhnLab-V3 Trojan/Win.Generic.R646909
DeepInstinct MALICIOUS
VBA32 Trojan.CoinMiner