popup

Report - java.exe

PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.13 09:27 Machine s1_win7_x6401
Filename java.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
2
 Behavior Score
3.2
ZERO API file : clean
VT API (file) 22 detected (malicious, high confidence, DeepScan, Dacic, BitCoinMiner, CoinMiner, Miner, XMRig Miner, kcloud, Miner3, ai score=89, Anzk, Static AI, Malicious PE)
md5 eda88d322065a9b364e4be013bb849f4
sha256 78d02713e4ac21a18050820c90104b9aaf6e34d9fb5e7bb95f8cfeb87fef4430
ssdeep 12288:mihUQ04kkhWAkyvg/2g3uOEgDDa7H1hFInrRStkbDaYK:mYUQ0uQyA3uuaQ4kb
imphash 62c219be55c8419f7ae2370ab8219a0c
impfuzzy 3:oTE1WYAWBJAEPw1MO/OywS9KTXzhAXwEQaxRegFaAw2Axy9hO6TWFD:oCBJAEoZ/OEGDzyRz5w2AxyTO60D
  Network IP location

Signature (8cnts)

Level Description
warning File has been identified by 22 AntiVirus engines on VirusTotal as malicious
watch Detects Virtual Machines through their custom firmware
notice Foreign language identified in PE resource
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername

Rules (2cnts)

Level Name Description Collection
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
xmr.f2pool.com
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 203.107.32.162 mailcious
203.107.32.162
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 203.107.32.162 mailcious

Suricata ids

ET POLICY Cryptocurrency Miner Checkin

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x14045559c LsaClose
KERNEL32.DLL
 0x1404555ac LoadLibraryA
 0x1404555b4 ExitProcess
 0x1404555bc GetProcAddress
 0x1404555c4 VirtualProtect
USER32.dll
 0x1404555d4 ShowWindow
USERENV.dll
 0x1404555e4 GetUserProfileDirectoryW
WS2_32.dll
 0x1404555f4 htons

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure