popup

Report - NewApp.exe

UPX PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.10.14 10:51 Machine s1_win7_x6403
Filename NewApp.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
2
 Behavior Score
2.4
ZERO API
VT API (file) 50 detected (Nekark, Malicious, score, Unsafe, CoinMiner, Kryptik, V37i, confidence, Attribute, HighConfidence, high confidence, GenKryptik, GTSN, MalwareX, Miner, bfmkp, ksqzsh, Reflo, 4KEnqrPNWbT, ofvqb, Siggen29, Generic Reputation PUA, Krypt, Detected, Caynamer, ABRisk, KSAC, R669480, Artemis, Chgt, Gencirc, A9nj)
md5 6c5765152f9720727f9693288b34a8b6
sha256 e2cbf154467a2592dfa9e86d6563f0d0d07ac148140ab2eac81790e916b1c4fb
ssdeep 98304:/YknE60QvK2disEKWIAN9rDUQ60m+E+3syUSIkJEhxfAF8p4ucb0hCH2:/xnh0sbErIYeQ3nEIsyU2Y48CSi
imphash 866dd80efc8771cadfdcea834977b0bb
impfuzzy 24:FMGf5XGf6ZgJkoDqnvZJfQfjBcVma20DW:FzJGfwgkoqnLfQfNcVh+
  Network IP location

Signature (5cnts)

Level Description
danger File has been identified by 50 AntiVirus engines on VirusTotal as malicious
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (3cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
xmr-eu1.nanopool.org
whois
FR Online S.a.s. 212.47.253.124
pastebin.com
whois
US CLOUDFLARENET 104.20.4.235
104.20.3.235
whois
US CLOUDFLARENET 104.20.3.235
163.172.154.142
whois
GB Online S.a.s. 163.172.154.142
146.59.154.106
whois
Unknown 146.59.154.106

Suricata ids

ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0x1405b4000 __C_specific_handler
 0x1405b4008 __getmainargs
 0x1405b4010 __initenv
 0x1405b4018 __iob_func
 0x1405b4020 __set_app_type
 0x1405b4028 __setusermatherr
 0x1405b4030 _amsg_exit
 0x1405b4038 _cexit
 0x1405b4040 _commode
 0x1405b4048 _fmode
 0x1405b4050 _initterm
 0x1405b4058 _onexit
 0x1405b4060 _wcsicmp
 0x1405b4068 _wcsnicmp
 0x1405b4070 abort
 0x1405b4078 calloc
 0x1405b4080 exit
 0x1405b4088 fprintf
 0x1405b4090 free
 0x1405b4098 fwrite
 0x1405b40a0 malloc
 0x1405b40a8 memcpy
 0x1405b40b0 memset
 0x1405b40b8 signal
 0x1405b40c0 strcat
 0x1405b40c8 strcpy
 0x1405b40d0 strlen
 0x1405b40d8 strncmp
 0x1405b40e0 strstr
 0x1405b40e8 vfprintf
 0x1405b40f0 wcscat
 0x1405b40f8 wcscpy
 0x1405b4100 wcslen
 0x1405b4108 wcsncmp
 0x1405b4110 wcsstr
KERNEL32.dll
 0x1405b4120 DeleteCriticalSection
 0x1405b4128 EnterCriticalSection
 0x1405b4130 GetLastError
 0x1405b4138 InitializeCriticalSection
 0x1405b4140 LeaveCriticalSection
 0x1405b4148 SetUnhandledExceptionFilter
 0x1405b4150 Sleep
 0x1405b4158 TlsGetValue
 0x1405b4160 VirtualProtect
 0x1405b4168 VirtualQuery
KERNEL32.dll
 0x1405b4178 HeapAlloc
 0x1405b4180 HeapFree
 0x1405b4188 ExitProcess
 0x1405b4190 GetModuleHandleA
 0x1405b4198 LoadLibraryA
 0x1405b41a0 GetProcAddress

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure