Source: dllhostex.exe |
ReversingLabs: Detection: 93% |
Source: dllhostex.exe |
Virustotal: Detection: 80% |
Perma Link |
Source: Yara match |
File source: dllhostex.exe, type: SAMPLE |
Source: Yara match |
File source: 00000000.00000000.366235531.00000000006B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.366704156.00000000006B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.366688720.000000000063C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: dllhostex.exe PID: 2992, type: MEMORYSTR |
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: stratum+tcp:// |
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: cryptonight |
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: -o, --url=URL URL of mining server |
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: stratum+tcp:// |
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: Usage: xmrig [OPTIONS] |
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: XMRig 2.14.1 |
Source: dllhostex.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: dllhostex.exe |
String found in binary or memory: https://gcc.gnu.org/bugs/): |
Source: dllhostex.exe, type: SAMPLE |
Matched rule: Detects Monero mining software Author: Florian Roth |
Source: dllhostex.exe, type: SAMPLE |
Matched rule: Monero mining software Author: Christiaan Beek | McAfee ATR Team |
Source: dllhostex.exe, type: SAMPLE |
Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth |
Source: C:\Users\user\Desktop\dllhostex.exe |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: dllhostex.exe |
Static PE information: Number of sections : 11 > 10 |
Source: dllhostex.exe, 00000000.00000000.366235531.00000000006B3000.00000008.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamexmrig.exe, vs dllhostex.exe |
Source: dllhostex.exe |
Binary or memory string: OriginalFilenamexmrig.exe, vs dllhostex.exe |
Source: dllhostex.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: dllhostex.exe, type: SAMPLE |
Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth, description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: dllhostex.exe, type: SAMPLE |
Matched rule: MINER_monero_mining_detection date = 2018-04-05, actor_group = Unknown, actor_type = Cybercrime, author = Christiaan Beek | McAfee ATR Team, description = Monero mining software, malware_family = Ransom:W32/MoneroMiner, rule_version = v1, malware_type = miner |
Source: dllhostex.exe, type: SAMPLE |
Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/ |
Source: classification engine |
Classification label: mal80.mine.winEXE@1/0@0/0 |
Source: dllhostex.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\dllhostex.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: dllhostex.exe |
ReversingLabs: Detection: 93% |
Source: dllhostex.exe |
Virustotal: Detection: 80% |
Source: dllhostex.exe |
String found in binary or memory: --help |
Source: dllhostex.exe |
String found in binary or memory: --help |
Source: dllhostex.exe |
String found in binary or memory: -h, --help display this help and exit |
Source: dllhostex.exe |
String found in binary or memory: -h, --help display this help and exit |
Source: dllhostex.exe |
String found in binary or memory: [01;32mresumedresumedCtrl+C received, exitingOK-h--help-V--versionXMRig 2.14.1 |
Source: dllhostex.exe |
String found in binary or memory: [01;32mresumedresumedCtrl+C received, exitingOK-h--help-V--versionXMRig 2.14.1 |
Source: dllhostex.exe |
String found in binary or memory: Failed to find previously-added IP address |
Source: dllhostex.exe |
String found in binary or memory: Previously-added IP address had counter of zero |
Source: dllhostex.exe |
String found in binary or memory: T:/Bin-prep/mhd/src/libmicrohttpd-0.9.58/src/microhttpd/daemon.cPreviously-added IP address had counter of zero |
Source: C:\Users\user\Desktop\dllhostex.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\dllhostex.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\dllhostex.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\dllhostex.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: dllhostex.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: dllhostex.exe |
Static file information: File size 2859008 > 1048576 |
Source: dllhostex.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x238e00 |
Source: dllhostex.exe |
Static PE information: section name: .eh_fram |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |