popup

Report - LUCIM.exe

Generic Malware PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.03.07 09:53 Machine s1_win7_x6403
Filename LUCIM.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score Not founds Behavior Score
2.0
ZERO API file : malware
VT API (file) 56 detected (AIDetectMalware, Reflo, Malicious, score, Ghanarava, Artemis, Unsafe, Whisperer, Save, confidence, 100%, Attribute, HighConfidence, high confidence, CrypterX, Tedy, Nekark, jzawhf, Kryptik, tSjl4DNY5BP, AGEN, Siggen20, GenKryptik, Static AI, Malicious PE, Detected, Xmrig, Barys, Eldorado, ClbU5jI4, susgen, GIIA, CWZB3DGW)
md5 c4b8578d2354c38613669b1c82a08ccb
sha256 3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2
ssdeep 98304:NT336TFxAfmqqUalE4J+B09AWLLpOWb8xH9leXF8gFgynRQ3JGPpL:xF3qhlE4J+BZWLLpOWb8xHzW+gFHfpL
imphash d3be2dc19ba54f7225d7679c3f791cf7
impfuzzy 24:1fPJx+kTdF0tWJd1jIlMblRf5XG6qXZgJkomvlA/GbtcqcJvZJF:1fPL+kT6kSslJJG6qJgk1vm/GbuqcJLF
  Network IP location

Signature (4cnts)

Level Description
danger File has been identified by 56 AntiVirus engines on VirusTotal as malicious
danger File has been identified by 56 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice The binary likely contains encrypted or compressed data indicative of a packer

Rules (9cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info 1 dumpmem
info 1 memory
info 1 office
info 1 scripts
info 1 urls
info 94102 shellcode

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
rentry.org
whois
FR OVH SAS 164.132.58.105 clean
xmr-eu1.nanopool.org
whois
Unknown 162.19.224.121 mailcious
51.89.23.91
whois
DE OVH SAS 51.89.23.91 clean
164.132.58.105
whois
FR OVH SAS 164.132.58.105 clean

Suricata ids

ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
&emsp

Similarity measure (PE file only) - Checking for service failure