General
-
Target
Cleaner.bat
-
Size
3.1MB
-
Sample
220517-n58yzsbeb2
-
MD5
b0f63b3801d950a3ce8f27d08d4b413a
-
SHA1
5445683bc8c1bdc716ae84cd59dea91ae814dd19
-
SHA256
0162d08202e23240665087b0dfe32652406b6c0595096bb6666234e829cd6233
-
SHA512
051f9fcba315db5f9cc0dec07c1736f984ef94151b92e7ecc3c6823529f4e55270ff44bd08416a77a9f0eb8c732b679ff0500932d309ab51e645b4db909cfc43
Static task
static1
Behavioral task
behavioral1
Sample
Cleaner.bat
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Cleaner.bat
Resource
win10v2004-20220414-en
Malware Config
Targets
-
-
Target
Cleaner.bat
-
Size
3.1MB
-
MD5
b0f63b3801d950a3ce8f27d08d4b413a
-
SHA1
5445683bc8c1bdc716ae84cd59dea91ae814dd19
-
SHA256
0162d08202e23240665087b0dfe32652406b6c0595096bb6666234e829cd6233
-
SHA512
051f9fcba315db5f9cc0dec07c1736f984ef94151b92e7ecc3c6823529f4e55270ff44bd08416a77a9f0eb8c732b679ff0500932d309ab51e645b4db909cfc43
Score10/10-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-