Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 8, 2025, 12:08 p.m.	March 8, 2025, 12:31 p.m.

Size	5.3MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`4e3c42b8c1558d124457f36cd2870274`
SHA256	`64cdeac3128adb283282bbaad30a84004bd8477c5434ea022955bc56f8266436`
CRC32	`2F7E65EF`
ssdeep	`98304:bD6B9LOZRGejAnztRDWEnHMMEtGfey96JXFXKLTeMIrSxXDE4i:H6n410L3H5EtGL87XKLTetoDvi`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

xmrig.exe "C:\Users\test22\AppData\Local\Temp\xmrig.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: 0x1ce9030 xmrig+0x7cb489 @ 0x1404bb489 0x2267ca4 0x1ce7c08 0x1bfbd0 xmrig+0x7ccefc @ 0x1404bcefc GetConsoleMode+0x120 WaitForSingleObjectEx-0x70 kernel32+0x22f80 @ 0x76c32f80 xmrig+0x7db157 @ 0x1404cb157 0x1d40000 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 0xb09315f4 exception.instruction_r: 90 eb 01 e6 eb 05 df aa 83 3c 76 eb 05 01 8d c1 exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x1ce9030 registers.r14: 0 registers.r15: 0 registers.rcx: 1 registers.rsi: 36079371 registers.r10: 0 registers.rbx: 7 registers.rsp: 1833776 registers.r11: 582 registers.r8: 1833352 registers.r9: 5373677792 registers.rdx: 30314509 registers.r12: 30137864 registers.rbp: 1833792 registers.rdi: 30313264 registers.rax: 258 registers.r13: 3854	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 8, 2025, 12:08 p.m.

stacktrace:

0x1ce9030
xmrig+0x7cb489 @ 0x1404bb489
0x2267ca4
0x1ce7c08
0x1bfbd0
xmrig+0x7ccefc @ 0x1404bcefc
GetConsoleMode+0x120 WaitForSingleObjectEx-0x70 kernel32+0x22f80 @ 0x76c32f80
xmrig+0x7db157 @ 0x1404cb157
0x1d40000
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4
0xb09315f4

exception.instruction_r: 90 eb 01 e6 eb 05 df aa 83 3c 76 eb 05 01 8d c1
exception.instruction: nop
exception.exception_code: 0x80000004
exception.symbol:
exception.address: 0x1ce9030
registers.r14: 0
registers.r15: 0
registers.rcx: 1
registers.rsi: 36079371
registers.r10: 0
registers.rbx: 7
registers.rsp: 1833776
registers.r11: 582
registers.r8: 1833352
registers.r9: 5373677792
registers.rdx: 30314509
registers.r12: 30137864
registers.rbp: 1833792
registers.rdi: 30313264
registers.rax: 258
registers.r13: 3854

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2556 region_size: 667648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2556 region_size: 5455872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00023800', u'virtual_address': u'0x007c8000', u'entropy': 7.996924718965643, u'name': u'', u'virtual_size': u'0x00023760'}

entropy

7.99692471897

description

A section with a high entropy has been found

entropy

0.989547038328

description

Overall entropy of this PE file is high

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Riskware.Win32.BitCoinMiner.1!c
CAT-QuickHeal	Trojan.Ghanarava.1741367222870274
Skyhigh	BehavesLike.Win64.Dropper.tc
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Trojan.GenericKD.75955865
Arcabit	Trojan.Generic.D486FE99
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Packed.Obsidium.A suspicious
APEX	Malicious
Avast	Win64:Evo-gen [Trj]
Kaspersky	not-a-virus:RiskTool.Win32.BitCoinMiner.osbs
Alibaba	RiskWare:Win32/BitCoinMiner.ef6bb804
MicroWorld-eScan	Trojan.GenericKD.75955865
Emsisoft	Trojan.GenericKD.75955865 (B)
McAfeeD	ti!64CDEAC3128A
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.generic
Sophos	Generic Reputation PUA (PUA)
FireEye	Trojan.GenericKD.75955865
Webroot	Win.Trojan.Gen
Google	Detected
Antiy-AVL	RiskWare[RiskTool]/Win32.BitCoinMiner
Gridinsoft	Trojan.Win64.XMRig.tr
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.GenericKD.75955865
Varist	W64/ABTrojan.LICM-8994
AhnLab-V3	Trojan/Win.Generic.R693252
DeepInstinct	MALICIOUS
Zoner	Probably Heur.ExeHeaderL
Fortinet	Riskware/Application
AVG	Win64:Evo-gen [Trj]
alibabacloud	Miner:Win/Wacatac.B9nj

xmrig.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All