xmrig

Resubmissions

25/04/2023, 13:06

230425-qb6mwacc7x 10

25/04/2023, 12:56

230425-p6tq5aad89 10

25/04/2023, 12:54

230425-p5dzaacc5s 10

Sharing

Copy URL Twitter E-mail

General

Target

4life kopalnia (vmka RAT!!!!).rar
Size

15.8MB
Sample

230425-p6tq5aad89
MD5

cbb1d251d53f06f2120315be4f1f60a7
SHA1

f6faa01170df8e05a1d1e05ec2a3a2d572a7aee2
SHA256

a64f74746190a2da55afe7b5b6a95e826c6aa70afda165b276489d1738783631
SHA512

c3bc93d17d396a6f38b3fca7cb3154275b6029d8af000a699e19001b55d4bda6466b114e69bd0c3b1a84c8c72aa0e12d8a55500e5b81ab4b9df0011d9514e95b
SSDEEP

393216:Sj9LbXygD9TU8xdbNpDCYTGxirRLEeu6C:SRLb79IkdJpDCIeiFLEeu6C

Score

10^/10

Malware Config

Targets

- Target
  
  4life kopalnia (vmka RAT!!!!).rar
- Size
  
  15.8MB
- MD5
  
  cbb1d251d53f06f2120315be4f1f60a7
- SHA1
  
  f6faa01170df8e05a1d1e05ec2a3a2d572a7aee2
- SHA256
  
  a64f74746190a2da55afe7b5b6a95e826c6aa70afda165b276489d1738783631
- SHA512
  
  c3bc93d17d396a6f38b3fca7cb3154275b6029d8af000a699e19001b55d4bda6466b114e69bd0c3b1a84c8c72aa0e12d8a55500e5b81ab4b9df0011d9514e95b
- SSDEEP
  
  393216:Sj9LbXygD9TU8xdbNpDCYTGxirRLEeu6C:SRLb79IkdJpDCIeiFLEeu6C
Score

3^/10
behavioral1
- Target
  
  4BOT.exe
- Size
  
  4.1MB
- MD5
  
  6ce29e0f74ff2df208a44a3324472cb5
- SHA1
  
  5653ceb3aa850ac17c862d910c9c0d3aa2d15bac
- SHA256
  
  5eeb67c1b9e0fac082836a13b7c60157404ea376b0c910a5fbfb98df7f99f26e
- SHA512
  
  b38d65de4b738044128fc40ce68aa9211805ab25bf6585fd21a7fc2c156f02fa14457dba618587a1ad4fee44e0ca9f51fa52ac7291656129d16d1c693222932a
- SSDEEP
  
  98304:CGaVlKvrfPSEA4zeA9G2Z3IopMW9vSkkslgMNBKQxLOO705M:Y7KDfPpA4h/vl2slgMNQxO702
Score

10^/10

xmrig evasion miner trojan upx
- Modifies security service
  evasion
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  CShauto.dll
- Size
  
  48KB
- MD5
  
  a822407f09a918136c01b96c6d959e26
- SHA1
  
  1a94ed3e3bf6142d324c56c3f3c6610aa3ee8034
- SHA256
  
  cea4eb5cfeb774f08b83faeb21b933af26493b41b5a4c68ad4653ca77c35de5a
- SHA512
  
  fbc5328dacb6a9187a86352ea2b6ae795e862042e367264a0602dc81e83a8c11bd1496ccf4eaa569acdf076ca2dc060b0c014cd39d54782d64401412840e36d0
- SSDEEP
  
  768:KVk5JPOnoWD6FHN5bqGhNn40/6s9KgDDDDsDDtB5nURO+BUENtnH6S6yFHWI/:KVPoWD6NNkUn40/6VB+RdUG73
Score

1^/10
behavioral3
- Target
  
  Cryptolens.Licensing.dll
- Size
  
  112KB
- MD5
  
  d81cd623052ca08f37c11cc84782c34e
- SHA1
  
  a6e537d9772e935027010e91db7d16003d15cb91
- SHA256
  
  be664e80caa588476706d270ba97196f5d8af4fcd4e5f10c7bd401610c1af7b2
- SHA512
  
  3ddafae120f3fe9a582455fb846c3cdc2e87734c5d30081e145021db33ec5d9e1b83e9ce309010e1766d917f40d916369e1b35cff0b7c451102d7467bf44010c
- SSDEEP
  
  3072:4lyDWiumeYHw3O5+Oex3Uet4NHZmTwo/pLEPzv+PaFKrCAO:nWiFVw3pJ3UxZEg
Score

1^/10
behavioral4
- Target
  
  Emgu.CV.World.dll
- Size
  
  608KB
- MD5
  
  4b28888bc2add928e92cfeedf5d1bd16
- SHA1
  
  bd7db44d21ef81dda89b7d2b1b1cf7589e496672
- SHA256
  
  d60ba709da77cd3d7bc71b353599dd8804fd1c3b1a9cef485fa2639b156d802f
- SHA512
  
  e75d613eaf389b6ac6eba7f5c2cd744b0cb24f0ca92f0bc976d0a3522d5ff1d96633ed7e3940e78eff8748b615a42f5b5ca912845c96fd161fc10dd6819f86fa
- SSDEEP
  
  12288:Txl0q4Ox+HRa6kw0sSLfDaB1iXXnQJrRalP3iLHLXhqr0f:ll0q4G2V7ZXhKg
Score

1^/10
behavioral5
- Target
  
  Guna.UI2.dll
- Size
  
  3.8MB
- MD5
  
  a29c7159170dc36961cc7c6ae0ac6e40
- SHA1
  
  8fcaff77cda4dfca269f12d7f7284bd1dfb35df3
- SHA256
  
  8e0ebe5cebbcb46b3e870b6bfb20412a52f534240846220b7a5da7cad2d71903
- SHA512
  
  475b1695efc339b52d052ff17e7f9e245e1973f5fa93b79f482fb8baf9757d539cd8d5582544663824d091ad6919e315c0c524b055756a219bbf2fd901bd3537
- SSDEEP
  
  24576:cVaMMD+dmfoN6y42wVXXicKsZv76OqM8wd/8++XJVkhIiA6Gu1cJCyHQ/jzhpb:tAR7wVCEZvum8wJ6T6nmO
Score

1^/10
behavioral6
- Target
  
  MySql.Data.dll
- Size
  
  1.4MB
- MD5
  
  82ba3bb3c85d357de50120572a0ac701
- SHA1
  
  057c7c01addd9371c225ee1c1cb7fa4247e0d411
- SHA256
  
  67cdc65b84408f01811616cffd799dabcfba14f5c370a550609b7c304dce5b85
- SHA512
  
  fc63b09505de7b3164059795ffce29d38c613907cac17721456531b8eee52b7435c280ca94df70b51c9a90d74c42deefe5c853722bf0c5fdd36b00fe62be4b94
- SSDEEP
  
  24576:a7fW6G1nBS62iKh3xsBftBtpcq/scemW5KP5Qe1H80AqwBLAwhn3O:auYh3rzmW4K0AHLAYn3O
Score

1^/10
behavioral7
- Target
  
  Newtonsoft.Json.dll
- Size
  
  683KB
- MD5
  
  6815034209687816d8cf401877ec8133
- SHA1
  
  1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
- SHA256
  
  7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
- SHA512
  
  3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721
- SSDEEP
  
  12288:Lf9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH:7XNL2PVh6B+Bzjmc
Score

1^/10
behavioral8
- Target
  
  TheEyes.dll
- Size
  
  17KB
- MD5
  
  414fb607e6fd99b797633f26b2866997
- SHA1
  
  e209f8dcce1a678af27ecbb55d29645d952f6188
- SHA256
  
  e77e58d63372be3567851e3a871ff82baec65d69588bb609f14ab254d2535446
- SHA512
  
  d60b7e07888677a68209d7fbcd6dc512e38c0916803592931515943b839f90dc834ff5eae9c65070d786b67c497ba58d0a5998bc3040c0b5d1ae16b6099dc3dd
- SSDEEP
  
  384:FR3kgWgWIeMuOuJrOyvQzX6PEqSB3lIF8EjIuv7EH:DkgW7IluOuJrOyvajBM8qv7EH
Score

1^/10
behavioral9
- Target
  
  cvextern.dll
- Size
  
  30.6MB
- MD5
  
  274d34f4029d8ec8d37c155b72860bff
- SHA1
  
  d741fe871d2e1440351279d3da2fee64b733259b
- SHA256
  
  6c03089f9b26b744aa43add2b4512a52aa909d787280e0c415831e6415c5cd37
- SHA512
  
  8e54c2cb053e4b0ad4ded1df5794839d1fe259c4d696381396016d8845693531a786eaa3b02c6b3f1354ab3dd67420737e81d29e6183fb4d15deef9a739bfcff
- SSDEEP
  
  393216:h/MtFxori7LiAUNufBuluiEtYqsVCDsMsF1zv6DPRQz:K43EtvsImqRg
Score

3^/10
behavioral10

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Modifies security service

Identifies VirtualBox via ACPI registry values (likely anti-VM)

XMRig Miner payload

Downloads MZ/PE file

Drops file in Drivers directory

Stops running service(s)

Checks BIOS information in registry

Executes dropped EXE

UPX packed file

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10