xmrig

General

Target

Folder.rar
Size

33.1MB
Sample

230521-zpaa9scd43
MD5

cf612197c75923ca827e198325e53657
SHA1

131f8ff92ec993af2d242cb676a8b006448c7b50
SHA256

4621fab7e79c7f65a52220c1cdb75aef0e2f5a6dfebf3f3380e075b49235d1be
SHA512

d4c688ace2239a3718c3625f9750f2ed1aea93bb56343d4b8d01d94c506a9968ff927efb0cd5b086b74ff2e1ca559738b17c181bbccfa35d0d121049715434e8
SSDEEP

786432:514WO3QqurabsuiCWulEr+47y34NGjC6nI1Gcs:P4WO3krzuiCxo97NG26I13s

Score

10^/10

Malware Config

Targets

- Target
  
  Folder/OnlineSet-up.exe
- Size
  
  685.3MB
- MD5
  
  3890f04895fa29ca24469e4c52e44b1f
- SHA1
  
  4c944be0bf5cecff8334d783a387de8043bde9be
- SHA256
  
  a1f4e4cd0c62e2cfa8ebdcb90800cdcd028b0302a60714ce8fb122e8d7d4a9fa
- SHA512
  
  68b53ea7c5312e14dcae727d14856360e07535a034ce0b899b0714efd1cc3d25d9c778718bddb81267a10a4283278b0a1793e973e4abd95acac2485d72364268
- SSDEEP
  
  393216:hrR+SknsQiN9pmGKLnqIgxBnpWmxuis8LrqSGl:VR+SknLepQTqIGnpWHisj
Score

10^/10

xmrig evasion miner themida trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2