General
-
Target
d5296dd7e388103ee0c57f8f56aa40f870a027046ef229c05780fa02cb40a8be
-
Size
270KB
-
Sample
220124-a9l35ahah2
-
MD5
d65fa3775e61633210fa5956d0d5e83f
-
SHA1
0bc6e9526131276785a9a0d25acbc1ebfc4ab11a
-
SHA256
d5296dd7e388103ee0c57f8f56aa40f870a027046ef229c05780fa02cb40a8be
-
SHA512
4a7f26ef3b1538f1ac639468b3314b30e6594ae8e231854dbb897d40bd2c5ed14f8c56286b2ffaec54c92dc9be3992d6e7a00918a259c005b1e1d6592fd4e7b9
Static task
static1
Malware Config
Extracted
tofsee
patmushta.info
ovicrush.cn
Targets
-
-
Target
d5296dd7e388103ee0c57f8f56aa40f870a027046ef229c05780fa02cb40a8be
-
Size
270KB
-
MD5
d65fa3775e61633210fa5956d0d5e83f
-
SHA1
0bc6e9526131276785a9a0d25acbc1ebfc4ab11a
-
SHA256
d5296dd7e388103ee0c57f8f56aa40f870a027046ef229c05780fa02cb40a8be
-
SHA512
4a7f26ef3b1538f1ac639468b3314b30e6594ae8e231854dbb897d40bd2c5ed14f8c56286b2ffaec54c92dc9be3992d6e7a00918a259c005b1e1d6592fd4e7b9
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-