Windows Analysis Report
adobe.exe.bin.exe

Overview

General Information

Sample name: adobe.exe.bin.exe
Analysis ID: 1637281
MD5: 15c4b0373ccf36b67c7aebfe2e2ace0f
SHA1: 5507fe730525d7ea2c09d4555de91ee9469147a2
SHA256: 9b5f69edc956a4e361ffe36c0758fe43fd8b6aea18bcd46696c7c7a7064aa40d
Tags: exeuser-TornadoAV_dev
Infos:

Detection

Xmrig
Score: 84
Range: 0 - 100
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Detected Stratum mining protocol
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
PE file has nameless sections
Potential thread-based time evasion detected
Switches to a custom stack to bypass stack traces
Abnormal high CPU Usage
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Suricata IDS alerts with low severity for network traffic

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: adobe.exe.bin.exe Virustotal: Detection: 28% Perma Link
Source: adobe.exe.bin.exe ReversingLabs: Detection: 31%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000000.00000002.3343267947.0000021A684F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: adobe.exe.bin.exe PID: 6580, type: MEMORYSTR
Detected Stratum mining protocol
Source: global traffic TCP traffic: 192.168.2.7:49681 -> 185.188.182.40:8080 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":null,"pass":null,"agent":"xmrig/5.6.0 (windows nt 10.0; win64; x64) libuv/1.34.0 msvc/2019","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/gpu","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Source: global traffic TCP traffic: 192.168.2.7:63767 -> 178.128.242.134:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470","pass":"x","agent":"xmrig/5.6.0 (windows nt 10.0; win64; x64) libuv/1.34.0 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/gpu","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/1","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
Found strings related to Crypto-Mining
Source: conhost.exe, 00000001.00000002.3343196061.00000125A441A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: XMRig 5.6.0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 4x nop then dec ecx 0_2_0000021A67B80000
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 4x nop then dec ecx 0_2_0000021A67B8F67D
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 4x nop then dec ecx 0_2_0000021A67B8367D
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 4x nop then dec ecx 0_2_0000021A67B8767D
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 4x nop then dec ecx 0_2_0000021A67B8B67D
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49681 -> 185.188.182.40:8080
Source: global traffic TCP traffic: 192.168.2.7:63767 -> 178.128.242.134:3333
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.7:63760 -> 1.1.1.1:53
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.7:63767 -> 178.128.242.134:3333
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: domainup619.icu
Source: global traffic DNS traffic detected: DNS query: donate.v2.xmrig.com

System Summary
barindex
PE file has nameless sections
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 0_2_0000021A67B80000 0_2_0000021A67B80000
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 0_2_0000021A67B8F67D 0_2_0000021A67B8F67D
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 0_2_0000021A67B8367D 0_2_0000021A67B8367D
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 0_2_0000021A67B8767D 0_2_0000021A67B8767D
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 0_2_0000021A67B8B67D 0_2_0000021A67B8B67D
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 0_2_0000021A67B8C2F3 0_2_0000021A67B8C2F3
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 0_2_0000021A67B902F3 0_2_0000021A67B902F3
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 0_2_0000021A67B802F3 0_2_0000021A67B802F3
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 0_2_0000021A67B842F3 0_2_0000021A67B842F3
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Code function: 0_2_0000021A67B882F3 0_2_0000021A67B882F3
PE file contains more sections than normal
Source: adobe.exe.bin.exe Static PE information: Number of sections : 13 > 10
Source: adobe.exe.bin.exe Static PE information: Section: ZLIB complexity 1.0001547759433962
Source: adobe.exe.bin.exe Static PE information: Section: ZLIB complexity 0.9969882484243697
Source: adobe.exe.bin.exe Static PE information: Section: ZLIB complexity 0.992483428030303
Source: classification engine Classification label: mal84.evad.mine.winEXE@2/0@2/2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: adobe.exe.bin.exe Virustotal: Detection: 28%
Source: adobe.exe.bin.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\adobe.exe.bin.exe File read: C:\Users\user\Desktop\adobe.exe.bin.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\adobe.exe.bin.exe "C:\Users\user\Desktop\adobe.exe.bin.exe"
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: adobe.exe.bin.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: adobe.exe.bin.exe Static file information: File size 2426880 > 1048576
Source: adobe.exe.bin.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x136800
PE file contains an invalid checksum
Source: adobe.exe.bin.exe Static PE information: real checksum: 0x254bc4 should be: 0x25622e
PE file contains sections with non-standard names
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name:
Source: adobe.exe.bin.exe Static PE information: section name: entropy: 7.999694396456135
Source: adobe.exe.bin.exe Static PE information: section name: entropy: 7.996466043483207
Source: adobe.exe.bin.exe Static PE information: section name: entropy: 7.9857401780696184
Source: adobe.exe.bin.exe Static PE information: section name: entropy: 7.226492043604237
Source: adobe.exe.bin.exe Static PE information: section name: entropy: 7.2194579931633145
Source: adobe.exe.bin.exe Static PE information: section name: entropy: 7.799568685142867
Source: adobe.exe.bin.exe Static PE information: section name: entropy: 7.966792875027433
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Potential thread-based time evasion detected
Source: Initial file Signature Results: Thread-based counter
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\adobe.exe.bin.exe API/Special instruction interceptor: Address: 7FFC1B60D304
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Window / User API: threadDelayed 468 Jump to behavior
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Window / User API: threadDelayed 3883 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\adobe.exe.bin.exe TID: 6848 Thread sleep time: -3883000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\Desktop\adobe.exe.bin.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\adobe.exe.bin.exe Last function: Thread delayed
Source: adobe.exe.bin.exe, 00000000.00000002.3342943293.0000021A67E60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: adobe.exe.bin.exe, 00000000.00000002.3342943293.0000021A67E60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\adobe.exe.bin.exe NtProtectVirtualMemory: Indirect: 0x7FF6FDFAE3F8 Jump to behavior
Source: conhost.exe, 00000001.00000002.3342837248.00000125A2AF1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: conhost.exe, 00000001.00000002.3342837248.00000125A2AF1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000001.00000002.3342837248.00000125A2AF1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000001.00000002.3342837248.00000125A2AF1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock