Edit tour

Windows Analysis Report
dllhostex.exe

Overview

General Information

Sample name:	dllhostex.exe
Analysis ID:	1431569
MD5:	56da116d25207847797fe5f8b085c1b1
SHA1:	d2b0399fabc842374af1c01195320640ca81abf0
SHA256:	2d6a5eb8a78cddee8ce90321aab80f85784b11a87b00fde75c4c457998a5aebd
Infos:

Detection

Xmrig

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Found strings related to Crypto-Mining

Machine Learning detection for sample

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w7x64

dllhostex.exe (PID: 2992 cmdline: "C:\Users\user\Desktop\dllhostex.exe" MD5: 56DA116D25207847797FE5F8B085C1B1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
dllhostex.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
dllhostex.exe	XMRIG_Monero_Miner	Detects Monero mining software	Florian Roth	0x23b012:$s2: --cpu-affinity set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x23ad2a:$s3: -p, --pass=PASSWORD password for mining server
dllhostex.exe	MINER_monero_mining_detection	Monero mining software	Christiaan Beek \| McAfee ATR Team	0x23b012:$2: --cpu-affinity set process affinity to CPU core(s), mask 0x3 for cores 0 and 1 0x23b1a6:$4: --user-agent set custom user-agent string for pool 0x23acb0:$5: -O, --userpass=U:P username:password pair for mining server 0x23b06d:$6: --cpu-priority set process priority (0 idle, 2 normal to 5 highest) 0x23ad2a:$7: -p, --pass=PASSWORD password for mining server 0x23b297:$10: --max-cpu-usage=N maximum CPU usage for automatic threads mode (default 75) 0x2ac641:$12: The ID below indicates application support for Windows 10 --> 0x23af68:$14: -r, --retries=N number of times to retry before switch to backup server (default: 5) 0x23b1e3:$15: -B, --background run the miner in the background 0x23b412:$17: --api-access-token=T access token for API 0x23adb8:$18: -t, --threads=N number of miner threads 0x23b39f:$19: --print-time=N print hashrate report every N seconds 0x23acf4:$20: -u, --user=USERNAME username for mining server
dllhostex.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x23d7c9:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x23cba3:$s1: [%s] login error code: %d 0x243f72:$s2: \\?\pipe\uv\%p-%lu

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.366235531.00000000006B3000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.366704156.00000000006B3000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.366688720.000000000063C000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: dllhostex.exe PID: 2992	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dllhostex.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: dllhostex.exe	ReversingLabs: Detection: 93%
Source: dllhostex.exe	Virustotal: Detection: 80%			Perma Link

Machine Learning detection for sample

Source: dllhostex.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dllhostex.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.366235531.00000000006B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.366704156.00000000006B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.366688720.000000000063C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dllhostex.exe PID: 2992, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: stratum+tcp://
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: cryptonight
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: stratum+tcp://
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: dllhostex.exe, 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: XMRig 2.14.1

Source: dllhostex.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: dllhostex.exe

String found in binary or memory: https://gcc.gnu.org/bugs/):

System Summary

Malicious sample detected (through community Yara rule)

Source: dllhostex.exe, type: SAMPLE	Matched rule: Detects Monero mining software Author: Florian Roth
Source: dllhostex.exe, type: SAMPLE	Matched rule: Monero mining software Author: Christiaan Beek \| McAfee ATR Team
Source: dllhostex.exe, type: SAMPLE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth

Source: C:\Users\user\Desktop\dllhostex.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Source: dllhostex.exe

Static PE information: Number of sections : 11 > 10

Source: dllhostex.exe, 00000000.00000000.366235531.00000000006B3000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexmrig.exe, vs dllhostex.exe
Source: dllhostex.exe	Binary or memory string: OriginalFilenamexmrig.exe, vs dllhostex.exe

Source: dllhostex.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: dllhostex.exe, type: SAMPLE	Matched rule: XMRIG_Monero_Miner date = 2018-01-04, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, author = Florian Roth, description = Detects Monero mining software, reference = https://github.com/xmrig/xmrig/releases, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: dllhostex.exe, type: SAMPLE	Matched rule: MINER_monero_mining_detection date = 2018-04-05, actor_group = Unknown, actor_type = Cybercrime, author = Christiaan Beek \| McAfee ATR Team, description = Monero mining software, malware_family = Ransom:W32/MoneroMiner, rule_version = v1, malware_type = miner
Source: dllhostex.exe, type: SAMPLE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Source: classification engine

Classification label: mal80.mine.winEXE@1/0@0/0

Source: dllhostex.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dllhostex.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dllhostex.exe	ReversingLabs: Detection: 93%
Source: dllhostex.exe	Virustotal: Detection: 80%

Source: dllhostex.exe	String found in binary or memory: --help
Source: dllhostex.exe	String found in binary or memory: --help
Source: dllhostex.exe	String found in binary or memory: -h, --help display this help and exit
Source: dllhostex.exe	String found in binary or memory: -h, --help display this help and exit
Source: dllhostex.exe	String found in binary or memory: [01;32mresumedresumedCtrl+C received, exitingOK-h--help-V--versionXMRig 2.14.1
Source: dllhostex.exe	String found in binary or memory: [01;32mresumedresumedCtrl+C received, exitingOK-h--help-V--versionXMRig 2.14.1
Source: dllhostex.exe	String found in binary or memory: Failed to find previously-added IP address
Source: dllhostex.exe	String found in binary or memory: Previously-added IP address had counter of zero
Source: dllhostex.exe	String found in binary or memory: T:/Bin-prep/mhd/src/libmicrohttpd-0.9.58/src/microhttpd/daemon.cPreviously-added IP address had counter of zero

Source: C:\Users\user\Desktop\dllhostex.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\dllhostex.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\dllhostex.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dllhostex.exe	Section loaded: winnsi.dll	Jump to behavior

Source: dllhostex.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: dllhostex.exe

Static file information: File size 2859008 > 1048576

Source: dllhostex.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x238e00

Source: dllhostex.exe

Static PE information: section name: .eh_fram

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dllhostex.exe	94%	ReversingLabs	Win32.Coinminer.Malxmr
dllhostex.exe	80%	Virustotal		Browse
dllhostex.exe	100%	Avira	PUA/GM.Miner.OW
dllhostex.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Antivirus Detection	Reputation
https://gcc.gnu.org/bugs/):	dllhostex.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431569
Start date and time:	2024-04-25 13:18:48 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dllhostex.exe
Detection:	MAL
Classification:	mal80.mine.winEXE@1/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information

File type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.2758528235918085
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	dllhostex.exe
File size:	2'859'008 bytes
MD5:	56da116d25207847797fe5f8b085c1b1
SHA1:	d2b0399fabc842374af1c01195320640ca81abf0
SHA256:	2d6a5eb8a78cddee8ce90321aab80f85784b11a87b00fde75c4c457998a5aebd
SHA512:	5847709c012836a56d1514de539525f40f1073d9ac382e2a7ed43ec79d1b9c7e9f592d08809649c6577fb2e87865616b8986b671279f9f472cda6b2ae2ace81e
SSDEEP:	49152:Nx2RyWADkFL21kRRvJ9lSnRB/NyIhsgY3rhCuLkmSJ5:GzFL215n/NyJhCj
TLSH:	B6D53B98F64360E0C6530EB1905EEA3BDA343E0D8030FABBEFD6EA48E473755B549156
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..\..................#...+...............#...@.......................... ,.....<f,....... .......................*.~..

File Icon


Icon Hash:	aaf3e3e3918382a0

Static PE Info

General

Entrypoint:	0x401500
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x5C80D42D [Thu Mar 7 08:19:57 2019 UTC]
TLS Callbacks:	0x499260, 0x499210, 0x4ac2e0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	596a050a7a2a7f0667fea5148e07ccc2

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [006ABCB8h], 00000000h
call 00007F277C597C43h
add esp, 0Ch
jmp 00007F277C4FFCDBh
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 0063C000h
call dword ptr [006AE700h]
sub esp, 04h
test eax, eax
je 00007F277C5000F5h
mov ebx, eax
mov dword ptr [esp], 0063C000h
call dword ptr [006AE770h]
sub esp, 04h
mov edi, dword ptr [006AE710h]
mov dword ptr [006AC760h], eax
mov dword ptr [esp+04h], 0063C013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 0063C029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [0063A004h], eax
test esi, esi
je 00007F277C500093h
mov dword ptr [esp+04h], 006AB01Ch
mov dword ptr [esp], 006590C8h
call esi
mov dword ptr [esp], 004015D0h
call 00007F277C597AC3h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi
pop edi
pop ebp
ret
lea esi, dword ptr [esi+00000000h]
mov dword ptr [0063A004h], 0049DE80h
mov esi, 0049DC40h
jmp 00007F277C500042h
jmp 00007F277C50008Fh
nop
nop
nop
nop

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2ad000	0x57e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ae000	0x2558	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2b3000	0xaf7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b4000	0xd75c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2b2004	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2ae5f0	0x53c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x238c9c	0x238e00	a7005a84899ceefb78ca17d2588a17e3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x23a000	0x17a4	0x1800	7b4eb83696c3819a81515f673380b877	False	0.13981119791666666	data	1.2564638748343255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x23c000	0x1cf40	0x1d000	a4649bbcdf49d4d3809c2b38703e668d	False	0.3849255792025862	data	6.173856952555778	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0x259000	0x51094	0x51200	dca8c20ea382cbf250289ad714861e43	False	0.21369715427580893	data	4.943483255212455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x2ab000	0x1900	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x2ad000	0x57e	0x600	9ba80acf159689ac9b3bd369d12cb51c	False	0.42578125	data	4.9451405183508985	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x2ae000	0x2558	0x2600	4dbfdbaec009b606082e4c89a038e499	False	0.3617393092105263	data	5.492049970064249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x2b1000	0x38	0x200	84115bc1dbef2efde70508ca74df30e1	False	0.080078125	Matlab v4 mat-file (little endian) \260\220I, numeric, rows 4198704, columns 0	0.3398375245953951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x2b2000	0x20	0x200	c86cd5bc388a04800f801ee4f7409142	False	0.056640625	data	0.20544562813451883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2b3000	0xaf7	0xc00	eaefd9d3538037b14b26e290c145bf29	False	0.3375651041666667	data	4.338974057081514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x2b4000	0xd75c	0xd800	827557035cb21cf479b9daddae3bb33e	False	0.6793981481481481	data	6.707810614985702	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2b30b8	0x31c	data			0.4472361809045226
RT_VERSION	0x2b33d4	0x294	OpenPGP Secret Key	English	United States	0.4909090909090909
RT_MANIFEST	0x2b3668	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
ADVAPI32.dll	AdjustTokenPrivileges, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetTokenInformation, GetUserNameW, LookupPrivilegeValueW, LsaAddAccountRights, LsaClose, LsaOpenPolicy, OpenProcessToken, RegCloseKey, RegOpenKeyExW, RegQueryValueExW
IPHLPAPI.DLL	GetAdaptersAddresses
KERNEL32.dll	AddVectoredExceptionHandler, AssignProcessToJobObject, CancelIo, CloseHandle, ConnectNamedPipe, CopyFileW, CreateDirectoryW, CreateEventA, CreateFileA, CreateFileW, CreateHardLinkW, CreateIoCompletionPort, CreateJobObjectW, CreateNamedPipeA, CreateNamedPipeW, CreateProcessW, CreateSemaphoreA, CreateSemaphoreW, CreateToolhelp32Snapshot, DebugBreak, DeleteCriticalSection, DeviceIoControl, DuplicateHandle, EnterCriticalSection, FileTimeToSystemTime, FillConsoleOutputAttribute, FillConsoleOutputCharacterW, FlushFileBuffers, FlushInstructionCache, FormatMessageA, FreeConsole, FreeLibrary, GetConsoleCursorInfo, GetConsoleMode, GetConsoleScreenBufferInfo, GetConsoleTitleW, GetConsoleWindow, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileType, GetHandleInformation, GetLastError, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetNamedPipeHandleStateA, GetNumberOfConsoleInputEvents, GetProcAddress, GetProcessAffinityMask, GetProcessIoCounters, GetProcessTimes, GetQueuedCompletionStatus, GetShortPathNameW, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetSystemInfo, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount, GlobalMemoryStatusEx, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, IsDBCSLeadByteEx, IsDebuggerPresent, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LocalAlloc, LocalFree, MoveFileExW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryPerformanceCounter, QueryPerformanceFrequency, QueueUserWorkItem, RaiseException, ReadConsoleInputW, ReadConsoleW, ReadDirectoryChangesW, ReadFile, RegisterWaitForSingleObject, ReleaseSemaphore, RemoveDirectoryW, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleCtrlHandler, SetConsoleCursorInfo, SetConsoleCursorPosition, SetConsoleMode, SetConsoleTextAttribute, SetConsoleTitleW, SetCurrentDirectoryW, SetEnvironmentVariableW, SetErrorMode, SetEvent, SetFilePointerEx, SetFileTime, SetHandleInformation, SetInformationJobObject, SetLastError, SetNamedPipeHandleState, SetPriorityClass, SetProcessAffinityMask, SetSystemTime, SetThreadAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SuspendThread, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnhandledExceptionFilter, UnregisterWait, UnregisterWaitEx, VerSetConditionMask, VerifyVersionInfoA, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeW, WideCharToMultiByte, WriteConsoleInputW, WriteConsoleW, WriteFile
msvcrt.dll	__argv, __dllonexit, __doserrno, __getmainargs, __initenv, __lconv_init, __mb_cur_max, __set_app_type, __setusermatherr, _acmdln, _aligned_free, _aligned_malloc, _amsg_exit, _beginthreadex, _cexit, _close, _endthreadex, _errno, _close, _exit, _fdopen, _fileno, _fmode, _fstat64, _get_osfhandle, _initterm, _iob, _lock, _lseeki64, _onexit, _open_osfhandle, _read, _read, _setjmp3, _snwprintf, _strdup, _stricmp, _strnicmp, _ultoa, _umask, _unlock, _vsnprintf, _wchmod, _wcsdup, _wcsnicmp, _wcsrev, _wmkdir, _wopen, _write, _write, _wrmdir, abort, atoi, calloc, exit, fclose, fflush, fopen, fprintf, fputc, fputs, free, fwprintf, fwrite, getenv, gmtime, islower, isspace, isupper, iswctype, localeconv, localtime, longjmp, malloc, memchr, memcmp, memcpy, memmove, memset, printf, qsort, raise, rand, realloc, setlocale, setvbuf, signal, sprintf, srand, strchr, strcmp, strcoll, strcpy, strerror, strftime, strlen, strncmp, strncpy, strrchr, strstr, strtol, strtoul, strxfrm, time, towlower, towupper, vfprintf, wcschr, wcscoll, wcscpy, wcsftime, wcslen, wcsncmp, wcsncpy, wcspbrk, wcsrchr, wcstombs, wcsxfrm
PSAPI.DLL	GetProcessMemoryInfo
USER32.dll	DispatchMessageA, GetMessageA, MapVirtualKeyW, MessageBoxW, SetWinEventHook, ShowWindow, TranslateMessage
USERENV.dll	GetUserProfileDirectoryW
WS2_32.dll	FreeAddrInfoW, GetAddrInfoW, WSACleanup, WSADuplicateSocketW, WSAGetLastError, WSAIoctl, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSASetLastError, WSASocketW, WSAStartup, __WSAFDIsSet, accept, bind, closesocket, connect, gethostname, getpeername, getsockname, getsockopt, htonl, htons, ioctlsocket, listen, ntohs, recv, select, send, setsockopt, shutdown, socket

Exports

Name	Ordinal	Address
MHD_add_connection	1	0x487c30
MHD_add_response_footer	2	0x48cde0
MHD_add_response_header	3	0x48ccc0
MHD_create_response_for_upgrade	4	0x48d810
MHD_create_response_from_buffer	5	0x48d5e0
MHD_create_response_from_callback	6	0x48d0f0
MHD_create_response_from_data	7	0x48d4f0
MHD_create_response_from_fd	8	0x48d390
MHD_create_response_from_fd64	9	0x48d430
MHD_create_response_from_fd_at_offset	10	0x48d1d0
MHD_create_response_from_fd_at_offset64	11	0x48d2b0
MHD_del_response_header	12	0x48cf00
MHD_destroy_response	13	0x48d980
MHD_free	14	0x48b320
MHD_get_connection_info	15	0x481960
MHD_get_connection_values	16	0x480a80
MHD_get_daemon_info	17	0x48ad10
MHD_get_fdset	18	0x487790
MHD_get_fdset2	19	0x487800
MHD_get_reason_phrase_for	20	0x484c30
MHD_get_response_header	21	0x48d020
MHD_get_response_headers	22	0x48cfb0
MHD_get_timeout	23	0x488560
MHD_get_version	24	0x48ade0
MHD_http_unescape	25	0x48af70
MHD_is_feature_supported	26	0x48adf0
MHD_lookup_connection_value	27	0x480b70
MHD_queue_response	28	0x481b50
MHD_quiesce_daemon	29	0x488d60
MHD_resume_connection	30	0x487b60
MHD_run	31	0x488d10
MHD_run_from_select	32	0x488c50
MHD_set_connection_option	33	0x4819e0
MHD_set_connection_value	34	0x480b00
MHD_set_panic_func	35	0x48adc0
MHD_set_response_options	36	0x48d1a0
MHD_start_daemon	37	0x489f90
MHD_start_daemon_va	38	0x489200
MHD_stop_daemon	39	0x488ed0
MHD_suspend_connection	40	0x4879c0
MHD_upgrade_action	41	0x48d6d0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	13:19:47
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\dllhostex.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dllhostex.exe"
Imagebase:	0x400000
File size:	2'859'008 bytes
MD5 hash:	56DA116D25207847797FE5F8B085C1B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.366235531.00000000006B3000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.366704156.00000000006B3000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.366223831.000000000063C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.366688720.000000000063C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dllhostex.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: dllhostex.exePID: 2992, Parent PID: 1244

General

Chronological Activities

Disassembly

Windows Analysis Report
dllhostex.exe