Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 19, 2024, 10:22 a.m.	Sept. 19, 2024, 10:26 a.m.

Size	11.0MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`d60d266e8fbdbd7794653ecf2aba26ed`
SHA256	`d4df1aba83289161d578336e1b7b6daf7269bb73acc92bd9dfa2c262ebc6c4d2`
CRC32	`960C9011`
ssdeep	`196608:0GTSo6ARyCFMI19DwkfAuYI8wha0mlCGMbM77RWWuhJzoSpc92tQRqIDfrDap1B6:0GTz6uyCfDwkfAuH8kv477RWXJs59Nqs`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

66ea645129e6a_jacobs.exe "C:\Users\test22\AppData\Local\Temp\66ea645129e6a_jacobs.exe"
2660

Name	Response	Post-Analysis Lookup
pool.hashvault.pro	A 125.253.92.50 A 131.153.76.130	125.253.92.50

IP Address	Status	Action
125.253.92.50	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49163 125.253.92.50:443	None	None	None

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	.00cfg
section	.text0
section	.text1
section	.text2

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00ac6200', u'virtual_address': u'0x00f8e000', u'entropy': 7.968488316316335, u'name': u'.text2', u'virtual_size': u'0x00ac60a0'}

entropy

7.96848831632

description

A section with a high entropy has been found

entropy

0.982719458424

description

Overall entropy of this PE file is high

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Bkav	W64.AIDetectMalware
Cylance	Unsafe
Sangfor	Trojan.Win64.Agent.Vlg9
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Trojan.GenericKD.74156075
Arcabit	Trojan.Generic.D46B882B
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Packed.VMProtect.AC suspicious
Avast	Win64:Evo-gen [Trj]
MicroWorld-eScan	Trojan.GenericKD.74156075
Rising	Trojan.Agent!8.B1E (TFE:5:FkFUO8h2JGR)
Emsisoft	Trojan.GenericKD.74156075 (B)
TrendMicro	Trojan.Win64.PRIVATELOADER.YXEIRZ
McAfeeD	Real Protect-LS!D60D266E8FBD
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.vmprotect
FireEye	Trojan.GenericKD.74156075
Webroot	W32.Backdoor.Gen
Antiy-AVL	Trojan[Packed]/Win64.VMProtect
Kingsoft	malware.kb.b.955
Gridinsoft	Trojan.Win64.Packed.cl
Microsoft	Trojan:Win64/Coinminer!rfn
GData	Win32.Application.Coinminer.XUC2W4
Varist	W64/ABRisk.EAFF-3351
McAfee	Artemis!D60D266E8FBD
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.CoinMiner
Ikarus	PUA.VMProtect
TrendMicro-HouseCall	Trojan.Win64.PRIVATELOADER.YXEIRZ
Tencent	Win32.Trojan.Miner.Uimw
Fortinet	Riskware/Application
AVG	Win64:Evo-gen [Trj]

66ea645129e6a_jacobs.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All