xmrig | 1f9202a7727a5b66b4045ed2a9d18b5beeeb6e711a9cad24646e1d97ae5ceec9 | Triage

Submit
Reports

Overview

overview

Static

static

REPACK/setup.exe

windows7-x64

REPACK/setup.exe

windows10-2004-x64

Sharing

General

Target

REPACK.rar
Size

17.1MB
Sample

220926-xdd4zachbn
MD5

55f31ec23653ae03ab74c502c7730cd6
SHA1

26d38edb960174959b4ce3fd559a9297434c1e35
SHA256

1f9202a7727a5b66b4045ed2a9d18b5beeeb6e711a9cad24646e1d97ae5ceec9
SHA512

bcae0ead4479ac8cb801dac17be0b908f1569a5e50afa43e30347be0255e75bd3465b2e27279cf2858b08d556676c98e19c7291496a9254b652baaf1f25983c6
SSDEEP

393216:2revs2Em+g3pcNVbh7jALOVzajeNwLaOkqqxT2MhemPYqGo:2C0Xm5I18hkqqxSXmZ

Score

10^/10

xmrig evasion miner spyware stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

REPACK/setup.exe

Resource

win7-20220812-en

spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

REPACK/setup.exe

Resource

win10v2004-20220812-en

xmrig evasion miner spyware stealer upx

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  REPACK/setup.exe
- Size
  
  681.1MB
- MD5
  
  f57c9332808a063901254cd41eef7613
- SHA1
  
  67df58792e9a9d3c3d00e39753873fcf6ef2ae5f
- SHA256
  
  2b50d8d9acaab4c8679d87d37dda1e97464e3bdbb00c942277c58d7532098a50
- SHA512
  
  e032ca3899a93170f8a3e2d4be32deb66f21c5de02fc9f453bfd3709c0f54ff5eb75db58777ca1565dd57632b7c125de776b69737e8554761e1e15fd3b98e0eb
- SSDEEP
  
  393216:zKAhcUJ09+imj7+mmFygBWbln6eqOBZC517HNohLBn5Iv/vQ:2O090j7nmFVWhn/qOB8JiaQ
Score

10^/10

spyware stealer xmrig evasion miner upx
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Drops file in Drivers directory
- Executes dropped EXE
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Impair Defenses

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

xmrigevasionminerspywarestealerupx

© 2018-2024

Terms | Privacy