xmrig

General

Target

EAC-BE-Injector-main.zip
Size

8.2MB
Sample

210817-3vhaxetrbx
MD5

8e4e37b5eed8e8a9f3fc4df235fafbaf
SHA1

f1901a4e25e76a98f25651b6bb4a599c072db034
SHA256

2f550e12caaba848c555fc526c78f5880fa9e0b506dd4958a161a2403326abb9
SHA512

e1009fe016bd97834dea7d511a522f756c6fecc02cee05d64059f2394b9261fd1217ba69ff2f68fccdd2cbf20c8c112980d8cf60adeb35009e92115c0b8165a0

Score

10^/10

Malware Config

Targets

- Target
  
  PagePoolInjector/injector.exe
- Size
  
  3.4MB
- MD5
  
  cfc3984a2b7c140e79cd2ae42afffe42
- SHA1
  
  1a8061504f534700802a6a17ab609b2fc988ab71
- SHA256
  
  53c847547c4994568c24fd7381fc7225978bf1aeee758cc247366e4786411818
- SHA512
  
  3a5b88caa7e922b559d22eae67a836480bb17af06ebcbae0eb55be4df6e6bb7d721b572d5e25210ee9d2f98155820ba6e62de8fe788d2a8e01e2a67256601589
Score

1^/10
behavioral1
- Target
  
  PagePoolInjector/qico.dll
- Size
  
  30KB
- MD5
  
  f4d5454b19fa7304642dcf8af1312135
- SHA1
  
  a18fd6feb550f3aa629de8fd15d860ea09f14431
- SHA256
  
  ee44dc636bc74eb65decf5d5ec00148b2e74d3edc6d3753ed96fde0a02bd8f74
- SHA512
  
  4d0e017e088be0d614ce31d21da3a7c550f0a8fa2d89f6d5a835bc7d6b401b9098a8791b8bd1818d2fa62059535a537a9f599730b1b319c5724e78bad54c8fcb
Score

1^/10
behavioral2
- Target
  
  PagePoolInjector/qwindows.dll
- Size
  
  1.3MB
- MD5
  
  cccd2450d93d192881e8dc9e9b7b0b8f
- SHA1
  
  bb920b93ca8ca6a07d246af64e4c5be78556ccc2
- SHA256
  
  3f1c4aad186b8f3297f4a817c1b3d8fdaed786d0c963b61954756d57665f148a
- SHA512
  
  9b049c576a6aed18a7e151ce81d58d6274bc3c8b11fde014d98d3bbb225dc6e49992ce204aaadb42fbd8cc7c348308e2f791ce63e1f4b595da4990e3fc6d10aa
Score

10^/10

xmrig evasion miner persistence pyinstaller spyware stealer themida trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3