popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

LUCIM.exe

Generic Malware PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 7, 2025, 9:49 a.m. March 7, 2025, 9:53 a.m.
Size 5.8MB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 c4b8578d2354c38613669b1c82a08ccb
SHA256 3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2
CRC32 82419850
ssdeep 98304:NT336TFxAfmqqUalE4J+B09AWLLpOWb8xH9leXF8gFgynRQ3JGPpL:xF3qhlE4J+BZWLLpOWb8xHzW+gFHfpL
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
xmr-eu1.nanopool.org
A 51.15.58.224
A 141.94.23.83
A 146.59.154.106
A 212.47.253.124
A 51.15.193.130
A 163.172.154.142
A 54.37.232.103
A 54.37.137.114
A 51.15.65.182
A 162.19.224.121
A 51.89.23.91
162.19.224.121
rentry.org
A 164.132.58.105
164.132.58.105
IP Address Status Action
164.124.101.2 Active Moloch
164.132.58.105 Active Moloch
51.89.23.91 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2033268 ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) Potential Corporate Privacy Violation
TCP 192.168.56.103:49164 -> 164.132.58.105:443 906200068 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.103:49164
164.132.58.105:443 		None None None
TLS 1.3
192.168.56.103:49163
51.89.23.91:10343 		None None None

Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 808
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000630000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x00595c00', u'virtual_address': u'0x00022000', u'entropy': 7.6965727901251295, u'name': u'.data', u'virtual_size': u'0x00595c00'} entropy 7.69657279013 description A section with a high entropy has been found
entropy 0.970967741935 description Overall entropy of this PE file is high
Bkav W64.AIDetectMalware
Lionic Trojan.Win32.Reflo.4!c
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.Ghanarava.1732902764a08ccb
Skyhigh Artemis!Trojan
Cylance Unsafe
VIPRE Gen:Heur.Whisperer.1.0000004000
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Gen:Heur.Whisperer.1.0000004000
K7GW Trojan ( 005a508c1 )
K7AntiVirus Trojan ( 005a508c1 )
Arcabit Trojan.Whisperer.1.0000004000
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win64/TrojanDropper.Agent.IH
APEX Malicious
Avast Win64:CrypterX-gen [Trj]
ClamAV Win.Packed.Tedy-10005655-0
Kaspersky HEUR:Trojan.Win64.Reflo.pef
Alibaba TrojanDropper:Win64/Reflo.27acc3bc
NANO-Antivirus Trojan.Win64.Nekark.jzawhf
MicroWorld-eScan Gen:Heur.Whisperer.1.0000004000
Rising Trojan.Kryptik!8.8 (TFE:5:tSjl4DNY5BP)
Emsisoft Gen:Heur.Whisperer.1.0000004000 (B)
F-Secure Heuristic.HEUR/AGEN.1372811
DrWeb Trojan.Siggen20.63580
Zillya Trojan.GenKryptik.Win64.9233
McAfeeD ti!3297BC041D95
CTX exe.trojan.reflo
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
FireEye Gen:Heur.Whisperer.1.0000004000
Google Detected
Avira HEUR/AGEN.1372811
Antiy-AVL Trojan/Win64.GenKryptik
Kingsoft Win64.Trojan.Reflo.pef
Microsoft Trojan:Win32/Xmrig
ViRobot Trojan.Win.Z.Barys.6044472
GData Gen:Heur.Whisperer.1.0000004000
Varist W64/Injector.BMR.gen!Eldorado
AhnLab-V3 Trojan/Win.Generic.C5404991
McAfee Artemis!C4B8578D2354
DeepInstinct MALICIOUS
VBA32 Trojan.Win64.Reflo
Malwarebytes Crypt.Trojan.MSIL.DDS
Ikarus Trojan.Win64.XMRig
Panda Trj/CI.A
Tencent Trojan.Win64.Agent.16001564
Yandex Trojan.Reflo!TM/ClbU5jI4