Overview

overview

10

Static

static

10

202ad65f39...2f.exe

windows7-x64

10

202ad65f39...2f.exe

windows10-2004-x64

10

2722079047...42.exe

windows7-x64

7

2722079047...42.exe

windows10-2004-x64

7

61b08c9b1c...29.exe

windows7-x64

10

61b08c9b1c...29.exe

windows10-2004-x64

10

a89d4dfabf...a9.exe

windows7-x64

10

a89d4dfabf...a9.exe

windows10-2004-x64

10

bb1e9db6d9...76.exe

windows7-x64

7

bb1e9db6d9...76.exe

windows10-2004-x64

7

e9fca3db7f...67.exe

windows7-x64

10

e9fca3db7f...67.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    220907-p95b2acbd5_pw_infected.zip

  • Size

    21.3MB

  • Sample

    230513-zclhrsbe9z

  • MD5

    3086b7cf2978bfb0c3120b7c8ad7c53a

  • SHA1

    2267f8d6fa62e098709092c07ffe619c94b34c24

  • SHA256

    82d4c31b741a633f3eaaf8f6c361b99e5de14060d26457ac1be57bb0f8a1d3bf

  • SHA512

    88928ef147009bbeac9f659d8aebcdf7b595558493218be1bee097aca1d43ae9f91215090a873dd12bf04b687431e1938f22a80874cdbf7cf329f9f427e96fc6

  • SSDEEP

    393216:YTd5Yy8EJuL1sVoGCYCkA5dYLhK+XTo0soXV8+TXz8d0K58RAFI9L/CP2f9IW:udfALiVChk/hKz0TXq+rz8YKaL/CPIIW

Score
10/10
eternityloaderbotxmrigevasionloaderminerpersistencetrojanupx

Malware Config

Extracted

Family

eternity

Wallets

49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW

Targets

    • Target

      202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f

    • Size

      4.1MB

    • MD5

      f962628bdeea7557ae61ea61b3e8bd51

    • SHA1

      ebec33d67bd123146341e02690637f8a40234f27

    • SHA256

      202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f

    • SHA512

      51c552e057010c759ead1f4ead26477d14a2190f3f3c620e16dad9d06c37d3f82cc8508ac0e6f0febb1715e241ebabf2ffaa9170540ef376d7b878f0368abcb7

    • SSDEEP

      98304:nktEDt0k984nukQYxQFKWRw3hmXsFALcQUkfL3BIdw48phwTpb+:np0k98caxFLRyhulUkD3BIP8b6b+

    Score
    10/10
    xmrigevasionminerpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies security service

      evasion

    • XMRig Miner payload

      miner

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

    • Target

      27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942

    • Size

      1.7MB

    • MD5

      9ec8bc3dbfdcfe1540bd3274181ae9bb

    • SHA1

      a5e610f5e4d56e7ac8c7b6b20a2726cf362ba316

    • SHA256

      27220790475f6cf42fbaff5e5fbdfe452b7d79116547878b01ecdbc1c6a5b942

    • SHA512

      d030b4b8beb58fd683ebb5f883566dbe8fab5a8bacad52f45e428eb71efdd90c6d35629769ac461a35f94471cd57d943d6e6bd8898596919b34eacaca701d117

    • SSDEEP

      49152:1Tvt1GjeX+xaFTx+IJPPpU4XOulXn8djKj:1T7zOaaqPpv8d2

    Score
    7/10
    upx

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29

    • Size

      6.2MB

    • MD5

      a193434018c93b4c84767c80f73f2253

    • SHA1

      77b9de6465dbe9ec0435b44c8c7505471a9bb01d

    • SHA256

      61b08c9b1c1f836a8fe354ae53110ffc66ef1ecb9ea353b345d7690a0bb3be29

    • SHA512

      0fa49721e806395c44c2ea1ab17425f45c1cc75b02e4a5b9ffe6e392a4410a868b7d755b260c2952d75046a2ea7753a3de667ecf7d0f07e420e94214a9c3cfee

    • SSDEEP

      98304:HWP0e39YV6AbdmorKY6Q5o8UGRt665KpP2+M9QfT7KycGiLlVJqFosrN9nrUTLi:HWP0QS9dMe5TBSyKQ+7fKtVPsrN9oS

    Score
    10/10
    loaderbotxmrigloaderminerpersistence

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

    • Size

      2.1MB

    • MD5

      d5737f563015ca9df92bf17c6636db42

    • SHA1

      957099807b7ab2e38d583f84fb7059711feec61f

    • SHA256

      a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

    • SHA512

      d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

    • SSDEEP

      49152:kzuzgsK8XCwKyblc81KsH7FtfcaSPL/e6988MKMTq3xJTaUbEyi:NzgEywKybm81KQ7F9caSPi69893Oj81

    Score
    10/10
    eternityxmrigminer

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776

    • Size

      5.8MB

    • MD5

      27124a76fe1a7d01090183e7eb646b0e

    • SHA1

      9612c76890e70d63298e674601921cc3a9bbc00c

    • SHA256

      bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776

    • SHA512

      1e218f3b9acdc19dc9d915bbe0cf8afd4b4a0804f2a105aaf063a149cc78995a0948327b4086f6b97d35a213ae951a29e6a5bd91e5438b37585e54b8f6fbdda2

    • SSDEEP

      98304:FuAXqhdxBaSbIzxiEXUfcZYU5XiG0Yq9VaEZns3VpUCpBx4Yfq8WwnwPNq3HZQ:0AWbNbIzxibcZYDFYXjHBq8WwC8Q

    Score
    7/10
    persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral10behavioral9

    • Target

      e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467

    • Size

      4.0MB

    • MD5

      c582001fd00152425fd1a4b9b0d7cf07

    • SHA1

      f747b7074505e37b589b72e652778c59077c1151

    • SHA256

      e9fca3db7f9c56f58cc1e28118c9897aa3cd0d2e052c62b3aed472bede51e467

    • SHA512

      72e6993227acc1b5f4841bfe04030ec70d061ce3ac1512b93e05f9900445253f0ca71917469616210881c61f711aaae1f58eedbef8903e1627fc720f8283bcce

    • SSDEEP

      49152:EjNDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:ERzP88fBsnZTgOtqB3m1RC3

    Score
    10/10
    loaderbotxmrigloaderminerpersistence

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral11behavioral12

MITRE ATT&CK Enterprise v6

Tasks