xmrig

General

Target

rhfinal.exe
Size

307KB
Sample

230112-fqd63aba8t
MD5

32ad696ddbb245210e041fac7a0b805f
SHA1

f6847a97a3139a1d11a4a29ccdc91c61e7d473bd
SHA256

cbc57ef2acb08283ea450ecc433dfb1db30b418828392e22b0670fb47b6d4bd3
SHA512

e2ada8d51b9bbe28fa6130b881bbfbb8d3318daf90a6f7be6de79a818b1448a2530b00d9d7faeef47b4c75112a70363f210cbed47a9bdc33b3ae7360c4b34481
SSDEEP

6144:K8y+bnr+op0yN90QEcIxUrwu5k0NH3Z/856UbYec:sMrgy90Orwu5vJ/UhYec

Score

10^/10

Malware Config

Targets

- Target
  
  rhfinal.exe
- Size
  
  307KB
- MD5
  
  32ad696ddbb245210e041fac7a0b805f
- SHA1
  
  f6847a97a3139a1d11a4a29ccdc91c61e7d473bd
- SHA256
  
  cbc57ef2acb08283ea450ecc433dfb1db30b418828392e22b0670fb47b6d4bd3
- SHA512
  
  e2ada8d51b9bbe28fa6130b881bbfbb8d3318daf90a6f7be6de79a818b1448a2530b00d9d7faeef47b4c75112a70363f210cbed47a9bdc33b3ae7360c4b34481
- SSDEEP
  
  6144:K8y+bnr+op0yN90QEcIxUrwu5k0NH3Z/856UbYec:sMrgy90Orwu5vJ/UhYec
Score

10^/10

persistence xmrig collection discovery miner spyware stealer upx
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2