Windows Analysis Report
dllhostex.exe

Overview

General Information

Sample name: dllhostex.exe
Analysis ID: 1431569
MD5: 56da116d25207847797fe5f8b085c1b1
SHA1: d2b0399fabc842374af1c01195320640ca81abf0
SHA256: 2d6a5eb8a78cddee8ce90321aab80f85784b11a87b00fde75c4c457998a5aebd
Infos:

Detection

Xmrig
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Machine Learning detection for sample
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: dllhostex.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: dllhostex.exe ReversingLabs: Detection: 93%
Source: dllhostex.exe Virustotal: Detection: 80% Perma Link
Machine Learning detection for sample
Source: dllhostex.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: dllhostex.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.366235531.00000000006B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.366704156.00000000006B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.366688720.000000000063C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dllhostex.exe PID: 2992, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: stratum+tcp://
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: cryptonight
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: stratum+tcp://
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: XMRig 2.14.1
Uses 32bit PE files
Source: dllhostex.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: dllhostex.exe String found in binary or memory: https://gcc.gnu.org/bugs/):

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dllhostex.exe, type: SAMPLE Matched rule: Detects Monero mining software Author: Florian Roth
Source: dllhostex.exe, type: SAMPLE Matched rule: Monero mining software Author: Christiaan Beek | McAfee ATR Team
Source: dllhostex.exe, type: SAMPLE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\dllhostex.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
PE file contains more sections than normal
Source: dllhostex.exe Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: dllhostex.exe, 00000000.00000000.366235531.00000000006B3000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamexmrig.exe, vs dllhostex.exe
Source: dllhostex.exe Binary or memory string: OriginalFilenamexmrig.exe, vs dllhostex.exe
Uses 32bit PE files
Source: dllhostex.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Yara signature match
Source: dllhostex.exe, type: SAMPLE Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth, description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: dllhostex.exe, type: SAMPLE Matched rule: MINER_monero_mining_detection date = 2018-04-05, actor_group = Unknown, actor_type = Cybercrime, author = Christiaan Beek | McAfee ATR Team, description = Monero mining software, malware_family = Ransom:W32/MoneroMiner, rule_version = v1, malware_type = miner
Source: dllhostex.exe, type: SAMPLE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: classification engine Classification label: mal80.mine.winEXE@1/0@0/0
Source: dllhostex.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dllhostex.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dllhostex.exe ReversingLabs: Detection: 93%
Source: dllhostex.exe Virustotal: Detection: 80%
Source: dllhostex.exe String found in binary or memory: --help
Source: dllhostex.exe String found in binary or memory: --help
Source: dllhostex.exe String found in binary or memory: -h, --help display this help and exit
Source: dllhostex.exe String found in binary or memory: -h, --help display this help and exit
Source: dllhostex.exe String found in binary or memory: [01;32mresumedresumedCtrl+C received, exitingOK-h--help-V--versionXMRig 2.14.1
Source: dllhostex.exe String found in binary or memory: [01;32mresumedresumedCtrl+C received, exitingOK-h--help-V--versionXMRig 2.14.1
Source: dllhostex.exe String found in binary or memory: Failed to find previously-added IP address
Source: dllhostex.exe String found in binary or memory: Previously-added IP address had counter of zero
Source: dllhostex.exe String found in binary or memory: T:/Bin-prep/mhd/src/libmicrohttpd-0.9.58/src/microhttpd/daemon.cPreviously-added IP address had counter of zero
Source: C:\Users\user\Desktop\dllhostex.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhostex.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhostex.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dllhostex.exe Section loaded: winnsi.dll Jump to behavior
Source: dllhostex.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: dllhostex.exe Static file information: File size 2859008 > 1048576
Source: dllhostex.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x238e00
PE file contains sections with non-standard names
Source: dllhostex.exe Static PE information: section name: .eh_fram
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431569 Sample: dllhostex.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 80 8 Malicious sample detected (through community Yara rule) 2->8 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 2 other signatures 2->14 5 dllhostex.exe 2->5         started        process3 signatures4 16 Found strings related to Crypto-Mining 5->16
No contacted IP infos