Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
adobe.exe.bin.exe

Overview

General Information

Sample name:adobe.exe.bin.exe
Analysis ID:1637281
MD5:15c4b0373ccf36b67c7aebfe2e2ace0f
SHA1:5507fe730525d7ea2c09d4555de91ee9469147a2
SHA256:9b5f69edc956a4e361ffe36c0758fe43fd8b6aea18bcd46696c7c7a7064aa40d
Tags:exeuser-TornadoAV_dev
Infos:

Detection

Xmrig
Score:84
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Detected Stratum mining protocol
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
PE file has nameless sections
Potential thread-based time evasion detected
Switches to a custom stack to bypass stack traces
Abnormal high CPU Usage
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64
  • adobe.exe.bin.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\adobe.exe.bin.exe" MD5: 15C4B0373CCF36B67C7AEBFE2E2ACE0F)
    • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.3343267947.0000021A684F0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      Process Memory Space: adobe.exe.bin.exe PID: 6580JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Communication To Uncommon Destination Ports
        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 185.188.182.40, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\adobe.exe.bin.exe, Initiated: true, ProcessId: 6580, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49681

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-13T13:43:54.976050+010028269302Crypto Currency Mining Activity Detected192.168.2.763767178.128.242.1343333TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: adobe.exe.bin.exeVirustotal: Detection: 28%Perma Link
        Source: adobe.exe.bin.exeReversingLabs: Detection: 31%
        Joe Sandbox ML detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

        Bitcoin Miner

        barindex
        Yara detected Xmrig cryptocurrency miner
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 00000000.00000002.3343267947.0000021A684F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: adobe.exe.bin.exe PID: 6580, type: MEMORYSTR
        Detected Stratum mining protocol
        Source: global trafficTCP traffic: 192.168.2.7:49681 -> 185.188.182.40:8080 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":null,"pass":null,"agent":"xmrig/5.6.0 (windows nt 10.0; win64; x64) libuv/1.34.0 msvc/2019","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/gpu","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
        Source: global trafficTCP traffic: 192.168.2.7:63767 -> 178.128.242.134:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470","pass":"x","agent":"xmrig/5.6.0 (windows nt 10.0; win64; x64) libuv/1.34.0 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/gpu","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/1","rx/wow","rx/loki","rx/arq","rx/sfx","argon2/chukwa","argon2/wrkz"]}}.
        Found strings related to Crypto-Mining
        Source: conhost.exe, 00000001.00000002.3343196061.00000125A441A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: XMRig 5.6.0
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 4x nop then dec ecx0_2_0000021A67B80000
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 4x nop then dec ecx0_2_0000021A67B8F67D
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 4x nop then dec ecx0_2_0000021A67B8367D
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 4x nop then dec ecx0_2_0000021A67B8767D
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 4x nop then dec ecx0_2_0000021A67B8B67D
        Source: global trafficTCP traffic: 192.168.2.7:49681 -> 185.188.182.40:8080
        Source: global trafficTCP traffic: 192.168.2.7:63767 -> 178.128.242.134:3333
        Source: global trafficTCP traffic: 192.168.2.7:63760 -> 1.1.1.1:53
        Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
        Source: Joe Sandbox ViewASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
        Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.7:63767 -> 178.128.242.134:3333
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: domainup619.icu
        Source: global trafficDNS traffic detected: DNS query: donate.v2.xmrig.com

        System Summary

        barindex
        PE file has nameless sections
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 0_2_0000021A67B800000_2_0000021A67B80000
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 0_2_0000021A67B8F67D0_2_0000021A67B8F67D
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 0_2_0000021A67B8367D0_2_0000021A67B8367D
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 0_2_0000021A67B8767D0_2_0000021A67B8767D
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 0_2_0000021A67B8B67D0_2_0000021A67B8B67D
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 0_2_0000021A67B8C2F30_2_0000021A67B8C2F3
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 0_2_0000021A67B902F30_2_0000021A67B902F3
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 0_2_0000021A67B802F30_2_0000021A67B802F3
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 0_2_0000021A67B842F30_2_0000021A67B842F3
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeCode function: 0_2_0000021A67B882F30_2_0000021A67B882F3
        Source: adobe.exe.bin.exeStatic PE information: Number of sections : 13 > 10
        Source: adobe.exe.bin.exeStatic PE information: Section: ZLIB complexity 1.0001547759433962
        Source: adobe.exe.bin.exeStatic PE information: Section: ZLIB complexity 0.9969882484243697
        Source: adobe.exe.bin.exeStatic PE information: Section: ZLIB complexity 0.992483428030303
        Source: classification engineClassification label: mal84.evad.mine.winEXE@2/0@2/2
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: adobe.exe.bin.exeVirustotal: Detection: 28%
        Source: adobe.exe.bin.exeReversingLabs: Detection: 31%
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeFile read: C:\Users\user\Desktop\adobe.exe.bin.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\adobe.exe.bin.exe "C:\Users\user\Desktop\adobe.exe.bin.exe"
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: adobe.exe.bin.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: adobe.exe.bin.exeStatic file information: File size 2426880 > 1048576
        Source: adobe.exe.bin.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x136800
        Source: adobe.exe.bin.exeStatic PE information: real checksum: 0x254bc4 should be: 0x25622e
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name:
        Source: adobe.exe.bin.exeStatic PE information: section name: entropy: 7.999694396456135
        Source: adobe.exe.bin.exeStatic PE information: section name: entropy: 7.996466043483207
        Source: adobe.exe.bin.exeStatic PE information: section name: entropy: 7.9857401780696184
        Source: adobe.exe.bin.exeStatic PE information: section name: entropy: 7.226492043604237
        Source: adobe.exe.bin.exeStatic PE information: section name: entropy: 7.2194579931633145
        Source: adobe.exe.bin.exeStatic PE information: section name: entropy: 7.799568685142867
        Source: adobe.exe.bin.exeStatic PE information: section name: entropy: 7.966792875027433
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Potential thread-based time evasion detected
        Source: Initial fileSignature Results: Thread-based counter
        Switches to a custom stack to bypass stack traces
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeAPI/Special instruction interceptor: Address: 7FFC1B60D304
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeWindow / User API: threadDelayed 468Jump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeWindow / User API: threadDelayed 3883Jump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exe TID: 6848Thread sleep time: -3883000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeLast function: Thread delayed
        Source: adobe.exe.bin.exe, 00000000.00000002.3342943293.0000021A67E60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
        Source: adobe.exe.bin.exe, 00000000.00000002.3342943293.0000021A67E60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Users\user\Desktop\adobe.exe.bin.exeNtProtectVirtualMemory: Indirect: 0x7FF6FDFAE3F8Jump to behavior
        Source: conhost.exe, 00000001.00000002.3342837248.00000125A2AF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
        Source: conhost.exe, 00000001.00000002.3342837248.00000125A2AF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: conhost.exe, 00000001.00000002.3342837248.00000125A2AF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: conhost.exe, 00000001.00000002.3342837248.00000125A2AF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
        DLL Side-Loading        		2
        Process Injection        		2
        Virtualization/Sandbox Evasion        		OS Credential Dumping211
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        Abuse Elevation Control Mechanism        		2
        Process Injection        		LSASS Memory2
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		1
        Abuse Elevation Control Mechanism        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
        Obfuscated Files or Information        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture1
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Software Packing        		LSA Secrets211
        System Information Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.