popup

Report - lolMiner.exe

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.04.10 09:23 Machine s1_win7_x6402
Filename lolMiner.exe
Type PE32+ executable (console) x86-64, for MS Windows
AI Score
2
 Behavior Score
3.8
ZERO API file : clean
VT API (file) 40 detected (malicious, high confidence, Coinminer, Unsafe, QDFS, Miner, Bitcoinminer, FileRepMalware, HackTool, CLOUD, ApplicUnwnt@#35as3iiatmqs8, VSNTBN21, Artemis, Static AI, Suspicious PE, RiskTool, ai score=99, score, Miner3)
md5 3c9dcc91e05dc05a01fff739e40474d7
sha256 6dd7b3d944595429136366b908fd18d3cac315c6f1453dd4cb5bcafa9e9a95a6
ssdeep 98304:o9qZFSd9o31ZlZP9ybmBCTauIejZc3j20L8ghQLj9INDwhPBlsR2Yv1sTFt:o8yS1LxQbmkVjZczjL8ghQxIBwhPBlso
imphash 46c33c2ddb9269495943f4bbe9ce669d
impfuzzy 6:omRg/GVKXKBJAEoZ/OEGDzyRkNTaYDML1KcA5PJ:omRg/WdABZG/DzDZ5PJ
  Network IP location

Signature (7cnts)

Level Description
danger File has been identified by 40 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX

Rules (9cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info HasOverlay Overlay Check binaries (upload)
info HasRichSignature Rich Signature Check binaries (upload)
info IsConsole (no description) binaries (upload)
info IsPacked Entropy Check binaries (upload)
info Str_Win32_Winsock2_Library Match Winsock 2 API library declaration binaries (upload)
info win_registry Affect system registries binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1618013728&mv=u&mvi=3&pcm2cms=yes&pl=18&shardbypass=yes
whois
KR Korea Telecom 59.18.44.14 clean
http://redirector.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
whois
US GOOGLE 172.217.174.110 clean
https://update.googleapis.com/service/update2?cup2key=10:2918620959&cup2hreq=20b23180095e8ee832d7a3e00a81651de5511b478ee0c64cc6d1faa93c33504d
whois
US GOOGLE 142.250.66.67 clean
r3---sn-3u-bh26.gvt1.com
whois
KR Korea Telecom 59.18.44.14 clean
59.18.44.14
whois
KR Korea Telecom 59.18.44.14 clean
142.250.66.67
whois
US GOOGLE 142.250.66.67 clean

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x141e1f2a4 RegCloseKey
crypt.dll
 0x141e1f2b4 BCryptGenRandom
CRYPT32.dll
 0x141e1f2c4 CertOpenStore
KERNEL32.DLL
 0x141e1f2d4 LoadLibraryA
 0x141e1f2dc ExitProcess
 0x141e1f2e4 GetProcAddress
 0x141e1f2ec VirtualProtect
MSWSOCK.dll
 0x141e1f2fc AcceptEx
OpenCL.dll
 0x141e1f30c clRetainEvent
SETUPAPI.dll
 0x141e1f31c SetupDiGetClassDevsA
USER32.dll
 0x141e1f32c ShowWindow
WS2_32.dll
 0x141e1f33c ntohl

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure