Overview

overview

10

Static

static

10

202ad65f39...2f.exe

windows7-x64

10

202ad65f39...2f.exe

windows10-2004-x64

10

2722079047...42.exe

windows7-x64

8

2722079047...42.exe

windows10-2004-x64

8

61b08c9b1c...29.exe

windows7-x64

10

61b08c9b1c...29.exe

windows10-2004-x64

10

a89d4dfabf...a9.exe

windows7-x64

10

a89d4dfabf...a9.exe

windows10-2004-x64

10

bb1e9db6d9...76.exe

windows7-x64

10

bb1e9db6d9...76.exe

windows10-2004-x64

10

e9fca3db7f...67.exe

windows7-x64

10

e9fca3db7f...67.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7858706412.zip

  • Size

    21.3MB

  • Sample

    220907-p95b2acbd5

  • MD5

    d58a80bfc3b470c5536444ee8b6723ba

  • SHA1

    884fcd22ee25702a11865abf5b80c1eb29a151fd

  • SHA256

    9ea9441f7c4279b04044795c514dab27c1a7129dc744044207cdd4dba0859dc9

  • SHA512

    69b97ebabdc08bd4f34cea3d71fb927f8ce37a4d6324338aca13132cb698b261601f5329c0009c29f585ec6d8b40b2b99f0c2db5189838b4583f03423d0f135a

  • SSDEEP

    393216:f/8EgcVki/Z+iXnaD22o6IXj+EJYTR4XyzUsRS0qk92RTkimsKQSoIkOccO:f/gM5fujoFXKEJYT2y4sRSk925kIKJ3Q

Score
10/10
eternityloaderbotxmrigevasionloaderminerpersistencetrojanupx

Malware Config

Extracted

Family

eternity

Wallets

49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW

Targets

    • Target

      202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f

    • Size

      4.1MB

    • MD5

      f962628bdeea7557ae61ea61b3e8bd51

    • SHA1

      ebec33d67bd123146341e02690637f8a40234f27

    • SHA256

      202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f

    • SHA512

      51c552e057010c759ead1f4ead26477d14a2190f3f3c620e16dad9d06c37d3f82cc8508ac0e6f0febb1715e241ebabf2ffaa9170540ef376d7b878f0368abcb7

    • SSDEEP

      98304:nktEDt0k984nukQYxQFKWRw3hmXsFALcQUkfL3BIdw48phwTpb+:np0k98caxFLRyhulUkD3BIP8b6b+

    Score
    10/10
    xmrigevasionminerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies security service

      evasion

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

    • Target

      27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942

    • Size

      1.7MB

    • MD5

      9ec8bc3dbfdcfe1540bd3274181ae9bb

    • SHA1

      a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316

    • SHA256

      27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942

    • SHA512

      d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

    • SSDEEP

      49152:1Tvt1GjeX+xaFTx+IJPPpU4XOulXn8djKj:1T7zOaaqPpv8d2

    Score
    8/10
    upx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29

    • Size

      6.2MB

    • MD5

      a193434018c93b4c84767c80f73f2253

    • SHA1

      77b9de6465dbe9ec0435b44c8c7505471a9bb01d

    • SHA256

      61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29

    • SHA512

      0fa49721e806395c44c2ea1ab17425f45c1cc75b02e4a5b9ffe6e392a4410a868b7d755b260c2952d75046a2ea7753a3de667ecf7d0f07e420e94214a9c3cfee

    • SSDEEP

      98304:HWP0e39YV6AbdmorKY6Q5o8UGRt665KpP2+M9QfT7KycGiLlVJqFosrN9nrUTLi:HWP0QS9dMe5TBSyKQ+7fKtVPsrN9oS

    Score
    10/10
    loaderbotxmrigloaderminerpersistence

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

    • Size

      2.1MB

    • MD5

      d5737f563015ca9df92bf17c6636db42

    • SHA1

      957099807b7ab2e38d583f84fb7059711feec61f

    • SHA256

      a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

    • SHA512

      d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

    • SSDEEP

      49152:kzuzgsK8XCwKyblc81KsH7FtfcaSPL/e6988MKMTq3xJTaUbEyi:NzgEywKybm81KQ7F9caSPi69893Oj81

    Score
    10/10
    eternityxmrigminer

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776

    • Size

      5.8MB

    • MD5

      27124a76fe1a7d01090183e7eb646b0e

    • SHA1

      9612c76890e70d63298e674601921cc3a9bbc00c

    • SHA256

      bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776

    • SHA512

      1e218f3b9acdc19dc9d915bbe0cf8afd4b4a0804f2a105aaf063a149cc78995a0948327b4086f6b97d35a213ae951a29e6a5bd91e5438b37585e54b8f6fbdda2

    • SSDEEP

      98304:FuAXqhdxBaSbIzxiEXUfcZYU5XiG0Yq9VaEZns3VpUCpBx4Yfq8WwnwPNq3HZQ:0AWbNbIzxibcZYDFYXjHBq8WwC8Q

    Score
    10/10
    xmrigminerpersistenceupx

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467

    • Size

      4.0MB

    • MD5

      c582001fd00152425fd1a4b9b0d7cf07

    • SHA1

      f747b7074505e37b589b72e652778c59077c1151

    • SHA256

      e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467

    • SHA512

      72e6993227acc1b5f4841bfe04030ec70d061ce3ac1512b93e05f9900445253f0ca71917469616210881c61f711aaae1f58eedbef8903e1627fc720f8283bcce

    • SSDEEP

      49152:EjNDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:ERzP88fBsnZTgOtqB3m1RC3

    Score
    10/10
    loaderbotxmrigloaderminerpersistence

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral11behavioral12

MITRE ATT&CK Enterprise v6

Tasks