xmrig | 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004_x64

Sharing

General

Target

557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b
Size

171KB
Sample

220504-pqmmwagdeq
MD5

b2983dc6d009875de6e6e97be5779db0
SHA1

11fd9f1b527eae215d51865dee19b3dceabd918c
SHA256

557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b
SHA512

bbc86e6e5895c9ce90edde8c70178b70017891156929534d7ff7dabd0f435a0ee68863c95e888d3aaffef9efa3ac265c7e574715eb85e52c1c6ca970da546cea

Score

10^/10

xmrig discovery evasion exploit miner spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe

Resource

win10v2004-20220414-en

xmrig discovery evasion exploit miner spyware stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b
- Size
  
  171KB
- MD5
  
  b2983dc6d009875de6e6e97be5779db0
- SHA1
  
  11fd9f1b527eae215d51865dee19b3dceabd918c
- SHA256
  
  557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b
- SHA512
  
  bbc86e6e5895c9ce90edde8c70178b70017891156929534d7ff7dabd0f435a0ee68863c95e888d3aaffef9efa3ac265c7e574715eb85e52c1c6ca970da546cea
Score

10^/10

xmrig discovery evasion exploit miner spyware stealer suricata
- suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
  suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
  suricata
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

File Permissions Modification

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

xmrigdiscoveryevasionexploitminerspywarestealersuricata

© 2018-2024

Terms | Privacy