General
-
Target
4c642a19cdc35181a2ac62acf3255ad0284bdec654e206c3330d447024ae58a7
-
Size
270KB
-
Sample
220124-fg27jaccfr
-
MD5
b991d1cd0c4f87b74aa63e3bf2e53826
-
SHA1
5be81ca9aa7abd3a5358121b15123c1844ce819c
-
SHA256
4c642a19cdc35181a2ac62acf3255ad0284bdec654e206c3330d447024ae58a7
-
SHA512
78baf0af42c3db9bd7d719cc688a70e967f3e0d279481f50ad7952909e9f84e2c804f7ec49dba7a829b1f1d54e409a7dfa9793748585474a5e7f33d22b37aae2
Static task
static1
Malware Config
Extracted
tofsee
patmushta.info
ovicrush.cn
Targets
-
-
Target
4c642a19cdc35181a2ac62acf3255ad0284bdec654e206c3330d447024ae58a7
-
Size
270KB
-
MD5
b991d1cd0c4f87b74aa63e3bf2e53826
-
SHA1
5be81ca9aa7abd3a5358121b15123c1844ce819c
-
SHA256
4c642a19cdc35181a2ac62acf3255ad0284bdec654e206c3330d447024ae58a7
-
SHA512
78baf0af42c3db9bd7d719cc688a70e967f3e0d279481f50ad7952909e9f84e2c804f7ec49dba7a829b1f1d54e409a7dfa9793748585474a5e7f33d22b37aae2
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-