General
-
Target
6b3fe813b728d0e1f9fc3b6f8815ccbe6a4b5817f4c8c109957b0c78a3441dff
-
Size
249KB
-
Sample
220123-hr5rhsfchj
-
MD5
54100ce9e9eeb2351e96ef8942559fbd
-
SHA1
4c9435c8dc4cfcc0323b49e49d10f212c066829f
-
SHA256
6b3fe813b728d0e1f9fc3b6f8815ccbe6a4b5817f4c8c109957b0c78a3441dff
-
SHA512
0d82f6ff85d7db1a981a3099a4fdce88f06a2008cbc633ad1545a89501b9b685edb6aecdd4863097c8551d46995220408fe5eb777cfcb4f016b7eb84b27bbed7
Static task
static1
Malware Config
Extracted
tofsee
patmushta.info
ovicrush.cn
Targets
-
-
Target
6b3fe813b728d0e1f9fc3b6f8815ccbe6a4b5817f4c8c109957b0c78a3441dff
-
Size
249KB
-
MD5
54100ce9e9eeb2351e96ef8942559fbd
-
SHA1
4c9435c8dc4cfcc0323b49e49d10f212c066829f
-
SHA256
6b3fe813b728d0e1f9fc3b6f8815ccbe6a4b5817f4c8c109957b0c78a3441dff
-
SHA512
0d82f6ff85d7db1a981a3099a4fdce88f06a2008cbc633ad1545a89501b9b685edb6aecdd4863097c8551d46995220408fe5eb777cfcb4f016b7eb84b27bbed7
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-