Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.02.21 14:36	Machine	s1_win7_x6403
Filename	xmrig.exe
Type	PE32+ executable (console) x86-64, for MS Windows
AI Score	1	Behavior Score	2.0
ZERO API	file : clean
VT API (file)	50 detected (BitCoinMiner, malicious, high confidence, score, Miner, grayware, confidence, Coinminer, Eldorado, Attribute, HighConfidence, RiskTool, ooba, jurbxe, CoinminerX, Dflw, AGEN, XMRig Miner, Detected, Miner3, Artemis, ai score=73, Unsafe, R002H0CB423, HackTool, XMRMiner, CLASSIC, VHilIsDLq0w, Static AI, Malicious PE, susgen)
md5	6c454e10bbea489cfc96253fe55ec282
sha256	a12c34fef1d6475d99aa9af2e8bf1fd55bca83982a0ee2a9131ffd9fd15cb2a7
ssdeep	98304:u0eUU9n9S8uIqzzCRrXdKrMiAeA4qG36UiVuiTK5GaRqayVMBzi0:rU9bZB4L3RYu3GaRqVaW0
imphash	2e3e4d2cfd6226981f42ae1c2abe7b12
impfuzzy	96:GehI5PoLULX1oj3cpejwgfTdkI9Nr8Dejys6JWaI4kXcGBgiM38aqooirbnshXJg:m5tFWbwodkI3f6JW4kDXE1rb2XW

Network IP location

Signature (4cnts)

Level	Description
danger	File has been identified by 50 AntiVirus engines on VirusTotal as malicious
notice	Allocates read-write-execute memory (usually to unpack itself)
info	Queries for the computername
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (6cnts)

Level	Name	Description	Collection
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE64	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

WS2_32.dll
0x14037d8d0 recv
0x14037d8d8 ntohs
0x14037d8e0 htons
0x14037d8e8 send
0x14037d8f0 WSASetLastError
0x14037d8f8 WSAGetLastError
0x14037d900 select
0x14037d908 WSARecvFrom
0x14037d910 WSASocketW
0x14037d918 WSASend
0x14037d920 WSARecv
0x14037d928 WSAIoctl
0x14037d930 gethostname
0x14037d938 WSADuplicateSocketW
0x14037d940 shutdown
0x14037d948 getpeername
0x14037d950 FreeAddrInfoW
0x14037d958 GetAddrInfoW
0x14037d960 htonl
0x14037d968 socket
0x14037d970 setsockopt
0x14037d978 listen
0x14037d980 closesocket
0x14037d988 ind
0x14037d990 WSACleanup
0x14037d998 WSAStartup
0x14037d9a0 getsockopt
0x14037d9a8 getsockname
0x14037d9b0 ioctlsocket
IPHLPAPI.DLL
0x14037d150 GetAdaptersAddresses
USERENV.dll
0x14037d8c0 GetUserProfileDirectoryW
CRYPT32.dll
0x14037d110 CertOpenStore
0x14037d118 CertCloseStore
0x14037d120 CertEnumCertificatesInStore
0x14037d128 CertGetCertificateContextProperty
0x14037d130 CertDuplicateCertificateContext
0x14037d138 CertFreeCertificateContext
0x14037d140 CertFindCertificateInStore
KERNEL32.dll
0x14037d160 SetConsoleMode
0x14037d168 GetConsoleMode
0x14037d170 QueryPerformanceFrequency
0x14037d178 QueryPerformanceCounter
0x14037d180 SizeofResource
0x14037d188 LockResource
0x14037d190 LoadResource
0x14037d198 FindResourceW
0x14037d1a0 ExpandEnvironmentStringsA
0x14037d1a8 GetConsoleWindow
0x14037d1b0 GetSystemFirmwareTable
0x14037d1b8 HeapFree
0x14037d1c0 HeapAlloc
0x14037d1c8 GetProcessHeap
0x14037d1d0 MultiByteToWideChar
0x14037d1d8 SetPriorityClass
0x14037d1e0 GetCurrentProcess
0x14037d1e8 SetThreadPriority
0x14037d1f0 GetSystemPowerStatus
0x14037d1f8 GetCurrentThread
0x14037d200 GetProcAddress
0x14037d208 GetModuleHandleW
0x14037d210 GetTickCount
0x14037d218 CloseHandle
0x14037d220 FreeConsole
0x14037d228 VirtualProtect
0x14037d230 VirtualFree
0x14037d238 VirtualAlloc
0x14037d240 GetLargePageMinimum
0x14037d248 LocalAlloc
0x14037d250 GetLastError
0x14037d258 LocalFree
0x14037d260 FlushInstructionCache
0x14037d268 GetCurrentThreadId
0x14037d270 AddVectoredExceptionHandler
0x14037d278 DeviceIoControl
0x14037d280 GetModuleFileNameW
0x14037d288 CreateFileW
0x14037d290 SetLastError
0x14037d298 GetSystemTime
0x14037d2a0 SystemTimeToFileTime
0x14037d2a8 GetModuleHandleExW
0x14037d2b0 EnterCriticalSection
0x14037d2b8 LeaveCriticalSection
0x14037d2c0 InitializeCriticalSectionAndSpinCount
0x14037d2c8 DeleteCriticalSection
0x14037d2d0 TlsAlloc
0x14037d2d8 TlsGetValue
0x14037d2e0 TlsSetValue
0x14037d2e8 TlsFree
0x14037d2f0 SwitchToFiber
0x14037d2f8 DeleteFiber
0x14037d300 CreateFiber
0x14037d308 FindClose
0x14037d310 FindFirstFileW
0x14037d318 FindNextFileW
0x14037d320 WideCharToMultiByte
0x14037d328 GetFileType
0x14037d330 WriteFile
0x14037d338 ConvertFiberToThread
0x14037d340 ConvertThreadToFiber
0x14037d348 GetCurrentProcessId
0x14037d350 GetSystemTimeAsFileTime
0x14037d358 FreeLibrary
0x14037d360 LoadLibraryA
0x14037d368 LoadLibraryW
0x14037d370 GetEnvironmentVariableW
0x14037d378 ReadConsoleA
0x14037d380 ReadConsoleW
0x14037d388 PostQueuedCompletionStatus
0x14037d390 CreateFileA
0x14037d398 DuplicateHandle
0x14037d3a0 SetEvent
0x14037d3a8 ResetEvent
0x14037d3b0 WaitForSingleObject
0x14037d3b8 CreateEventA
0x14037d3c0 Sleep
0x14037d3c8 QueueUserWorkItem
0x14037d3d0 RegisterWaitForSingleObject
0x14037d3d8 UnregisterWait
0x14037d3e0 GetNumberOfConsoleInputEvents
0x14037d3e8 ReadConsoleInputW
0x14037d3f0 FillConsoleOutputCharacterW
0x14037d3f8 FillConsoleOutputAttribute
0x14037d400 GetConsoleCursorInfo
0x14037d408 SetConsoleCursorInfo
0x14037d410 GetConsoleScreenBufferInfo
0x14037d418 SetConsoleCursorPosition
0x14037d420 SetConsoleTextAttribute
0x14037d428 WriteConsoleInputW
0x14037d430 CreateDirectoryW
0x14037d438 FlushFileBuffers
0x14037d440 GetDiskFreeSpaceW
0x14037d448 GetFileAttributesW
0x14037d450 GetFileInformationByHandle
0x14037d458 GetFileSizeEx
0x14037d460 GetFinalPathNameByHandleW
0x14037d468 GetFullPathNameW
0x14037d470 SetUnhandledExceptionFilter
0x14037d478 RemoveDirectoryW
0x14037d480 SetConsoleTitleA
0x14037d488 SetFileTime
0x14037d490 GetSystemInfo
0x14037d498 MapViewOfFile
0x14037d4a0 FlushViewOfFile
0x14037d4a8 UnmapViewOfFile
0x14037d4b0 CreateFileMappingA
0x14037d4b8 ReOpenFile
0x14037d4c0 CopyFileW
0x14037d4c8 MoveFileExW
0x14037d4d0 CreateHardLinkW
0x14037d4d8 GetFileInformationByHandleEx
0x14037d4e0 CreateSymbolicLinkW
0x14037d4e8 InitializeCriticalSection
0x14037d4f0 SetConsoleCtrlHandler
0x14037d4f8 GetCurrentDirectoryW
0x14037d500 GetLongPathNameW
0x14037d508 GetShortPathNameW
0x14037d510 CreateIoCompletionPort
0x14037d518 ReadDirectoryChangesW
0x14037d520 VerSetConditionMask
0x14037d528 GetEnvironmentStringsW
0x14037d530 FreeEnvironmentStringsW
0x14037d538 SetEnvironmentVariableW
0x14037d540 SetCurrentDirectoryW
0x14037d548 GetTempPathW
0x14037d550 GlobalMemoryStatusEx
0x14037d558 VerifyVersionInfoA
0x14037d560 FileTimeToSystemTime
0x14037d568 RtlUnwind
0x14037d570 SetHandleInformation
0x14037d578 CancelIoEx
0x14037d580 CancelIo
0x14037d588 SwitchToThread
0x14037d590 SetFileCompletionNotificationModes
0x14037d598 LoadLibraryExW
0x14037d5a0 FormatMessageA
0x14037d5a8 SetErrorMode
0x14037d5b0 GetQueuedCompletionStatus
0x14037d5b8 InitializeSRWLock
0x14037d5c0 ReleaseSRWLockExclusive
0x14037d5c8 AcquireSRWLockExclusive
0x14037d5d0 TryEnterCriticalSection
0x14037d5d8 InitializeConditionVariable
0x14037d5e0 WakeConditionVariable
0x14037d5e8 WakeAllConditionVariable
0x14037d5f0 SleepConditionVariableCS
0x14037d5f8 ReleaseSemaphore
0x14037d600 ResumeThread
0x14037d608 GetNativeSystemInfo
0x14037d610 CreateSemaphoreA
0x14037d618 ConnectNamedPipe
0x14037d620 SetNamedPipeHandleState
0x14037d628 PeekNamedPipe
0x14037d630 CreateNamedPipeW
0x14037d638 CancelSynchronousIo
0x14037d640 GetNamedPipeHandleStateA
0x14037d648 TerminateProcess
0x14037d650 GetExitCodeProcess
0x14037d658 UnregisterWaitEx
0x14037d660 LCMapStringW
0x14037d668 DebugBreak
0x14037d670 GetModuleHandleA
0x14037d678 LoadLibraryExA
0x14037d680 GetStartupInfoW
0x14037d688 GetModuleFileNameA
0x14037d690 GetVersionExA
0x14037d698 GetProcessAffinityMask
0x14037d6a0 SetProcessAffinityMask
0x14037d6a8 SetThreadAffinityMask
0x14037d6b0 GetComputerNameA
0x14037d6b8 RtlVirtualUnwind
0x14037d6c0 RtlLookupFunctionEntry
0x14037d6c8 RtlCaptureContext
0x14037d6d0 CreateEventW
0x14037d6d8 GetStringTypeW
0x14037d6e0 GetStdHandle
0x14037d6e8 WriteConsoleW
0x14037d6f0 SetFilePointerEx
0x14037d6f8 UnhandledExceptionFilter
0x14037d700 IsProcessorFeaturePresent
0x14037d708 IsDebuggerPresent
0x14037d710 InitializeSListHead
0x14037d718 RtlUnwindEx
0x14037d720 RtlPcToFileHeader
0x14037d728 RaiseException
0x14037d730 SetStdHandle
0x14037d738 GetCommandLineA
0x14037d740 GetCommandLineW
0x14037d748 CreateThread
0x14037d750 ExitThread
0x14037d758 FreeLibraryAndExitThread
0x14037d760 GetDriveTypeW
0x14037d768 SystemTimeToTzSpecificLocalTime
0x14037d770 ExitProcess
0x14037d778 GetFileAttributesExW
0x14037d780 SetFileAttributesW
0x14037d788 GetConsoleCP
0x14037d790 CompareStringW
0x14037d798 GetLocaleInfoW
0x14037d7a0 IsValidLocale
0x14037d7a8 GetUserDefaultLCID
0x14037d7b0 EnumSystemLocalesW
0x14037d7b8 HeapReAlloc
0x14037d7c0 GetTimeZoneInformation
0x14037d7c8 HeapSize
0x14037d7d0 SetEndOfFile
0x14037d7d8 FindFirstFileExW
0x14037d7e0 IsValidCodePage
0x14037d7e8 GetACP
0x14037d7f0 GetOEMCP
0x14037d7f8 ReadFile
0x14037d800 K32GetProcessMemoryInfo
0x14037d808 InitializeCriticalSectionEx
0x14037d810 WaitForSingleObjectEx
0x14037d818 GetExitCodeThread
0x14037d820 SleepConditionVariableSRW
0x14037d828 EncodePointer
0x14037d830 DecodePointer
0x14037d838 LCMapStringEx
0x14037d840 CompareStringEx
0x14037d848 GetCPInfo
USER32.dll
0x14037d868 GetProcessWindowStation
0x14037d870 GetUserObjectInformationW
0x14037d878 ShowWindow
0x14037d880 GetLastInputInfo
0x14037d888 DispatchMessageA
0x14037d890 GetMessageA
0x14037d898 GetSystemMetrics
0x14037d8a0 MapVirtualKeyW
0x14037d8a8 TranslateMessage
0x14037d8b0 MessageBoxW
SHELL32.dll
0x14037d858 SHGetSpecialFolderPathA
ole32.dll
0x14037d9d0 CoInitializeEx
0x14037d9d8 CoCreateInstance
0x14037d9e0 CoUninitialize
ADVAPI32.dll
0x14037d000 SystemFunction036
0x14037d008 GetUserNameW
0x14037d010 CryptEnumProvidersW
0x14037d018 CryptSignHashW
0x14037d020 CryptDestroyHash
0x14037d028 CryptCreateHash
0x14037d030 CryptDecrypt
0x14037d038 CryptExportKey
0x14037d040 CryptGetUserKey
0x14037d048 CryptGetProvParam
0x14037d050 CryptSetHashParam
0x14037d058 CryptDestroyKey
0x14037d060 CryptReleaseContext
0x14037d068 CryptAcquireContextW
0x14037d070 ReportEventW
0x14037d078 RegisterEventSourceW
0x14037d080 DeregisterEventSource
0x14037d088 CreateServiceW
0x14037d090 QueryServiceStatus
0x14037d098 CloseServiceHandle
0x14037d0a0 OpenSCManagerW
0x14037d0a8 QueryServiceConfigA
0x14037d0b0 DeleteService
0x14037d0b8 ControlService
0x14037d0c0 StartServiceW
0x14037d0c8 OpenServiceW
0x14037d0d0 LookupPrivilegeValueW
0x14037d0d8 AdjustTokenPrivileges
0x14037d0e0 OpenProcessToken
0x14037d0e8 LsaOpenPolicy
0x14037d0f0 LsaAddAccountRights
0x14037d0f8 LsaClose
0x14037d100 GetTokenInformation
crypt.dll
0x14037d9c0 BCryptGenRandom

EAT(Export Address Table) is none

Report - xmrig.exe

Signature (4cnts)

Rules (6cnts)

Network (0cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure