Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 11, 2024, 11:10 a.m.	Oct. 11, 2024, 11:13 a.m.

Size	5.3MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`1417d38c40d85d1c4eb7fad3444ca069`
SHA256	`5f7c6cdea3c4e825af1d796cbd34b2d45b2b6fabed130e717a30a6d871993f5d`
CRC32	`DBEC7457`
ssdeep	`98304:z0uVyIJFN+YjxW2q0pOFklpKRDArh51NuIQIi7by2ud3RK:QucIJbx9TOFkMOL1NuIQIi7by2uRRK`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

jgt.exe "C:\Users\test22\AppData\Local\Temp\jgt.exe"
444

Name	Response	Post-Analysis Lookup
justpaste.it	A 83.168.108.45	83.168.108.45
jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su	A 104.21.19.3 A 172.67.184.91	172.67.184.91
pastebin.com	A 104.20.4.235 A 172.67.19.24 A 104.20.3.235	104.20.3.235
rentry.co	A 172.67.75.40 A 104.26.2.16 A 104.26.3.16	104.26.2.16
pool.supportxmr.com	A 141.94.96.71 CNAME pool-fr.supportxmr.com A 141.94.96.144 A 141.94.96.195	141.94.96.195

IP Address	Status	Action
104.20.3.235	Active	Moloch
104.21.19.3	Active	Moloch
104.26.2.16	Active	Moloch
141.94.96.71	Active	Moloch
164.124.101.2	Active	Moloch
83.168.108.45	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 104.26.2.16:443	2044865	ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 104.26.2.16:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2047928	ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)	Crypto Currency Mining Activity Detected
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2044864	ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)	Misc activity
TCP 192.168.56.103:49165 -> 83.168.108.45:443	2038806	ET INFO Observed Pastebin-style Service Domain (justpaste .it) in TLS SNI	Misc activity
TCP 192.168.56.103:49165 -> 83.168.108.45:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 192.168.56.103:49165 -> 83.168.108.45:443	2038806	ET INFO Observed Pastebin-style Service Domain (justpaste .it) in TLS SNI	Misc activity
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2038805	ET INFO Observed DNS Query to Pastebin-style Service (justpaste .it)	Misc activity
TCP 192.168.56.103:49166 -> 104.20.3.235:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 192.168.56.103:49167 -> 104.21.19.3:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49163 141.94.96.71:443	C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool	C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool	03:77:e8:c9:9c:cd:15:56:b7:2d:35:fc:01:90:83:6c:b5:42:f6:d0
TLS 1.3 192.168.56.103:49164 104.26.2.16:443	None	None	None
TLS 1.3 192.168.56.103:49165 83.168.108.45:443	None	None	None
TLS 1.3 192.168.56.103:49166 104.20.3.235:443	None	None	None
TLS 1.3 192.168.56.103:49167 104.21.19.3:443	None	None	None

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.00cfg

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su

description

Soviet Union domain TLD

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Reflo.4!c
Cynet	Malicious (score: 100)
Skyhigh	Trojan-FWHP!1417D38C40D8
ALYac	Gen:Variant.Tedy.617597
Cylance	Unsafe
VIPRE	Gen:Variant.Tedy.617597
Sangfor	CoinMiner.Win64.Kryptik.Vdir
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Gen:Variant.Tedy.617597
K7GW	Trojan ( 005af85d1 )
K7AntiVirus	Trojan ( 005af85d1 )
Arcabit	Trojan.Tedy.D96C7D
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Generic.Threat
ESET-NOD32	a variant of Win64/Kryptik.EDF
APEX	Malicious
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Trojan.Genkryptik-10016533-0
Kaspersky	HEUR:Trojan.Win64.Reflo.pef
Alibaba	Trojan:Win64/Coinminer.27bb4217
NANO-Antivirus	Trojan.Win64.Kryptik.ksokwe
MicroWorld-eScan	Gen:Variant.Tedy.617597
Rising	Trojan.Staser!8.7FD (TFE:5:g2ZCviiLSKR)
Emsisoft	Gen:Variant.Tedy.617597 (B)
F-Secure	Heuristic.HEUR/AGEN.1370827
DrWeb	Trojan.Siggen29.48313
TrendMicro	TROJ_GEN.R002C0DJ824
McAfeeD	ti!5F7C6CDEA3C4
CTX	exe.trojan.kryptik
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.1417d38c40d85d1c
Google	Detected
Avira	HEUR/AGEN.1370827
Antiy-AVL	Trojan/Win64.GenKryptik
Kingsoft	Win64.Trojan.Reflo.pef
Gridinsoft	Trojan.Win64.CoinMiner.sa
Microsoft	Trojan:Win64/Coinminer.RB!MTB
ZoneAlarm	HEUR:Trojan.Win64.Reflo.pef
GData	Gen:Variant.Tedy.617597
Varist	W64/Kryptik.LEG.gen!Eldorado
AhnLab-V3	Dropper/Win.DropperX-gen.R622355
McAfee	Trojan-FWHP!1417D38C40D8
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt.Generic
Ikarus	Trojan.Win64.Krypt
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DJ824
Tencent	Trojan.Win64.Kryptik.hj

jgt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All