popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

NewApp.exe

PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 6, 2024, 12:45 p.m. Oct. 6, 2024, 12:48 p.m.
Size 5.6MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 2eea3ddbfc81544b54a4ac5028a30805
SHA256 ab043bb5ec1911f462c0e6341efb93c2760f097becc0c01ecbd02e5949b10025
CRC32 CDCB0AD3
ssdeep 98304:CtK2disEKWIAN9rDUQ60m+E+3syUSIkJEhxfAF8p4uc6X1zl7As/WO+H:C3bErIYeQ3nEIsyU2Y48CgzdAsuOy
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)

Name Response Post-Analysis Lookup
xmr-eu1.nanopool.org
A 51.15.58.224
A 141.94.23.83
A 146.59.154.106
A 212.47.253.124
A 163.172.154.142
A 162.19.224.121
A 54.37.232.103
A 54.37.137.114
A 51.15.65.182
A 51.89.23.91
A 51.15.193.130
51.89.23.91
pastebin.com
A 104.20.4.235
A 172.67.19.24
A 104.20.3.235
104.20.3.235
IP Address Status Action
104.20.4.235 Active Moloch
164.124.101.2 Active Moloch
51.15.193.130 Active Moloch
54.37.232.103 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2033268 ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) Potential Corporate Privacy Violation
TCP 192.168.56.101:49164 -> 104.20.4.235:443 906200068 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.101:49163
51.15.193.130:10343 		None None None
TLS 1.3
192.168.56.101:49165
54.37.232.103:10343 		None None None
TLS 1.3
192.168.56.101:49164
104.20.4.235:443 		None None None

section .00cfg
section .vmp\xe2\x98\x8fh
resource name STYLE_XML
resource name None
section {u'size_of_data': u'0x00587800', u'virtual_address': u'0x005b7000', u'entropy': 7.982366953981899, u'name': u'.vmp\\xe2\\x98\\x8fh', u'virtual_size': u'0x005876d4'} entropy 7.98236695398 description A section with a high entropy has been found
entropy 0.991941135249 description Overall entropy of this PE file is high
section .vmp\xe2\x98\x8fh description Section name indicates VMProtect
section .vmp\xe2\x98\x8fh description Section name indicates VMProtect
section .vmp\xe2\x98\x8fh description Section name indicates VMProtect
Bkav W64.AIDetectMalware
Lionic Trojan.Win32.GenCBL.4!c
Cynet Malicious (score: 100)
Skyhigh Artemis!Trojan
Cylance Unsafe
VIPRE Trojan.GenericKD.74237135
CrowdStrike win/malicious_confidence_90% (D)
BitDefender Application.Generic.3823539
K7GW Trojan ( 005bb2981 )
K7AntiVirus Trojan ( 005bb2981 )
Arcabit Application.Generic.D3A57B3
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/GenCBL.FHG
Avast Win64:MalwareX-gen [Trj]
Kaspersky Trojan.Win32.Agent.xbsxlv
Alibaba Trojan:Win32/GenCBL.16b85fe9
MicroWorld-eScan Application.Generic.3823539
Rising Trojan.Vigorf!8.EAEA (TFE:5:k4sAFfFHdvK)
Emsisoft Application.Generic.3823539 (B)
F-Secure Trojan.TR/AD.Nekark.dtgmb
McAfeeD ti!AB043BB5EC19
CTX exe.unknown.generic
Sophos Mal/Generic-S
FireEye Generic.mg.2eea3ddbfc81544b
Google Detected
Avira TR/AD.Nekark.dtgmb
Antiy-AVL Trojan/Win64.GenKryptik
Gridinsoft Trojan.Win64.XMRig.tr
Microsoft Trojan:Win64/Coinminer!rfn
ZoneAlarm Trojan.Win32.Agent.xbsxlv
GData Win32.Application.Coinminer.YVANKN
AhnLab-V3 Trojan/Win.Generic.R669480
McAfee Artemis!2EEA3DDBFC81
DeepInstinct MALICIOUS
Ikarus Trojan.Win32.Generic
Panda Trj/Chgt.AD
Tencent Win32.Trojan.FalseSign.Simw
MaxSecure Trojan.Malware.300983.susgen
Fortinet Riskware/GenCBL
AVG Win64:MalwareX-gen [Trj]
Paloalto generic.ml
alibabacloud Trojan:Win/GenCBL.FJC