popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

nCoreManage41r.exe

Process Kill CryptGenKey FindFirstVolume
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 9, 2021, 2:46 p.m. March 9, 2021, 2:48 p.m.
Size 887.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 49479db345e2c3694c34f1326035a692
SHA256 50f07f3f7e23d27d4e0674835506a899ee0bf5cba95fd680b98b46daf687f969
CRC32 3A44F7F9
ssdeep 24576:OAHnh+eWsN3skA4RV1Hom2KXMmHamiscT5:5h+ZkldoPK8YamiR
Yara
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • AutoIt - www.autoitscript.com/site/autoit/
  • CryptGenKey_Zero - CryptGenKey Zero
  • FindFirstVolume_Zero - FindFirstVolume Zero
  • inject_thread - Code injection with CreateRemoteThread in a remote process
  • network_http - Communications over HTTP
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
  • Str_Win32_Wininet_Library - Match Windows Inet API library declaration
  • Str_Win32_Internet_API - Match Windows Inet API call
  • Str_Win32_Http_API - Match Windows Http API call
  • Process_Snapshot_Kill_Zero - Process Kill Zero
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • Device_Check_Zero - Device Check Zero

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The system cannot find the path specified.
console_handle: 0x0000000b
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b62000
process_handle: 0xffffffff
1 0 0
cmdline C:\Windows\system32\cmd.exe /c WMIC OS get osarchitecture >C:\ProgramData\SystemNetwork\arch.txt
section {u'size_of_data': u'0x00013600', u'virtual_address': u'0x000c8000', u'entropy': 7.761774231910825, u'name': u'.rsrc', u'virtual_size': u'0x0001343b'} entropy 7.76177423191 description A section with a high entropy has been found
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://purl.org/rss/1.0/
url http://www.passport.com
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Hijack network configuration rule hijack_network
description Create a windows service rule create_service
description Create a COM server rule create_com_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over Toredo network rule network_toredo
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Communication using dga rule network_dga
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Steal credential rule cred_local
description Record Audio rule sniff_audio
description APC queue tasks migration rule migrate_apc
description Malware can spread east-west file rule spreading_file
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description Match Windows Inet API library declaration rule Str_Win32_Wininet_Library
description Match Windows Inet API call rule Str_Win32_Internet_API
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Create a windows service rule create_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over P2P network rule network_p2p_win
cmdline C:\Windows\system32\cmd.exe /c WMIC OS get osarchitecture >C:\ProgramData\SystemNetwork\arch.txt
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
DrWeb Trojan.BtcMine.3419
FireEye Generic.mg.49479db345e2c369
McAfee Artemis!49479DB345E2
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan-Downloader ( 0055b3701 )
Alibaba TrojanDownloader:Win32/HawkEye.0c2f70f8
K7GW Trojan-Downloader ( 0055b3701 )
CrowdStrike win/malicious_confidence_60% (D)
Arcabit Trojan.Generic.D207AE68
Cyren W32/Trojan.ROLC-0073
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:Trojan-gen
Cynet Malicious (score: 100)
BitDefender Trojan.GenericKD.34057832
NANO-Antivirus Trojan.Win32.BtcMine.hlkjfa
ViRobot Trojan.Win32.S.Downloader.908288
MicroWorld-eScan Trojan.GenericKD.34057832
Tencent Win32.Trojan.Generic.Pcst
Ad-Aware Trojan.GenericKD.34057832
Emsisoft Trojan-Downloader.Autoit (A)
Comodo Malware@#2wvqecic24284
F-Secure Heuristic.HEUR/AGEN.1100187
TrendMicro Coinminer.Win32.MALREP.THKBBBO
McAfee-GW-Edition BehavesLike.Win32.TrojanAitInject.ch
Sophos Mal/Generic-S
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1100187
MAX malware (ai score=100)
Gridinsoft Trojan.Win32.CoinMiner.oa
Microsoft Trojan:Win32/CoinMiner.C!cl
AegisLab Hacktool.Win32.Gamehack.3!e
GData Trojan.GenericKD.34057832
AhnLab-V3 Trojan/Win32.Agent.R285246
VBA32 Trojan.BtcMine
ALYac Trojan.GenericKD.34057832
TACHYON Trojan/W32.Agent.908288
Malwarebytes MachineLearning/Anomalous.96%
ESET-NOD32 a variant of Win32/TrojanDownloader.Autoit.OVB
TrendMicro-HouseCall Coinminer.Win32.MALREP.THKBBBO
Rising Trojan.CoinMiner/Autoit!1.CAC1 (CLASSIC)
eGambit Unsafe.AI_Score_94%
Fortinet AutoIt/Agent.OUJ!tr.dldr
AVG Win32:Trojan-gen
Cybereason malicious.345e2c
Panda Trj/CI.A