popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

NewApp.exe

UPX PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 14, 2024, 10:37 a.m. Oct. 14, 2024, 10:48 a.m.
Size 5.8MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 6c5765152f9720727f9693288b34a8b6
SHA256 e2cbf154467a2592dfa9e86d6563f0d0d07ac148140ab2eac81790e916b1c4fb
CRC32 E6354A14
ssdeep 98304:/YknE60QvK2disEKWIAN9rDUQ60m+E+3syUSIkJEhxfAF8p4ucb0hCH2:/xnh0sbErIYeQ3nEIsyU2Y48CSi
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
xmr-eu1.nanopool.org
A 51.15.58.224
A 141.94.23.83
A 163.172.154.142
A 212.47.253.124
A 51.89.23.91
A 146.59.154.106
A 54.37.232.103
A 54.37.137.114
A 51.15.65.182
A 162.19.224.121
A 51.15.193.130
212.47.253.124
pastebin.com
A 104.20.4.235
A 172.67.19.24
A 104.20.3.235
104.20.4.235
IP Address Status Action
104.20.3.235 Active Moloch
146.59.154.106 Active Moloch
163.172.154.142 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:50800 -> 164.124.101.2:53 2033268 ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) Potential Corporate Privacy Violation
TCP 192.168.56.103:49163 -> 104.20.3.235:443 906200068 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.103:49164
163.172.154.142:10343 		None None None
TLS 1.3
192.168.56.103:49162
146.59.154.106:10343 		None None None
TLS 1.3
192.168.56.103:49163
104.20.3.235:443 		None None None

section .00cfg
section .vmp\xec\x9b\x83\xec
resource name PNG
section {u'size_of_data': u'0x005b6c00', u'virtual_address': u'0x005b5000', u'entropy': 7.9802894410488445, u'name': u'.vmp\\xec\\x9b\\x83\\xec', u'virtual_size': u'0x005b6aa4'} entropy 7.98028944105 description A section with a high entropy has been found
entropy 0.983113500798 description Overall entropy of this PE file is high
section .vmp\xec\x9b\x83\xec description Section name indicates VMProtect
section .vmp\xec\x9b\x83\xec description Section name indicates VMProtect
section .vmp\xec\x9b\x83\xec description Section name indicates VMProtect
Lionic Trojan.Win32.Nekark.4!c
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win64.Generic.tc
ALYac Application.Generic.3831465
Cylance Unsafe
VIPRE Application.Generic.3831465
Sangfor CoinMiner.Win64.Kryptik.V37i
CrowdStrike win/malicious_confidence_70% (D)
BitDefender Application.Generic.3831465
K7GW Trojan ( 005b1af31 )
K7AntiVirus Trojan ( 005b1af31 )
Arcabit Application.Generic.D3A76A9
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win64/GenKryptik.GTSN
APEX Malicious
Avast Win64:MalwareX-gen [Trj]
Kaspersky UDS:Trojan.Win32.Miner.bfmkp
Alibaba Trojan:Win32/Miner.23238a54
NANO-Antivirus Trojan.Win64.Nekark.ksqzsh
MicroWorld-eScan Application.Generic.3831465
Rising Trojan.Reflo!8.1230F (TFE:5:4KEnqrPNWbT)
Emsisoft Application.Generic.3831465 (B)
F-Secure Trojan.TR/AD.Nekark.ofvqb
DrWeb Trojan.Siggen29.50366
McAfeeD ti!E2CBF154467A
CTX exe.trojan.generic
Sophos Generic Reputation PUA (PUA)
Ikarus Trojan.Win64.Krypt
FireEye Generic.mg.6c5765152f972072
Google Detected
Avira TR/AD.Nekark.ofvqb
Antiy-AVL Trojan/Win32.Caynamer
Kingsoft Win32.Trojan.Miner.bfmkp
Gridinsoft Trojan.Win64.CoinMiner.ca
Microsoft Trojan:Win64/Coinminer!rfn
ViRobot Trojan.Win.Z.Agent.6095360
ZoneAlarm UDS:Trojan.Win32.Miner.bfmkp
GData Application.Generic.3831465
Varist W64/ABRisk.KSAC-3935
AhnLab-V3 Trojan/Win.Generic.R669480
McAfee Artemis!6C5765152F97
DeepInstinct MALICIOUS
Malwarebytes Malware.AI.1514209829
Panda Trj/Chgt.AD
Tencent Malware.Win32.Gencirc.141d5de0
Fortinet W64/GenKryptik.GTSN!tr
AVG Win64:MalwareX-gen [Trj]
Paloalto generic.ml
alibabacloud Miner:Win/Caynamer.A9nj