Overview

overview

10

Static

static

10

W1nnerFree CS2.exe

windows10-2004-x64

10

W1nnerFree CS2.exe

windows11-21h2-x64

10

$1/1337/Ex...er.exe

windows10-2004-x64

7

$1/1337/Ex...er.exe

windows11-21h2-x64

7

$1/1337/MinerMega.exe

windows10-2004-x64

10

$1/1337/MinerMega.exe

windows11-21h2-x64

10

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    W1nnerFree CS2.exe

  • Size

    21.4MB

  • Sample

    240219-kydbysbf4t

  • MD5

    7494cccce30350832ac77113f3cf28d8

  • SHA1

    ffba86775e5dc0a12957249e5f2d1c48bb1c58f0

  • SHA256

    0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6

  • SHA512

    94550c34c2887ca3227bfc559eeb2806bdd189b31bd866facbc5ed22ff2f6dc89684b268aa22a36c1b6a062deb2db6545d4e1b021a572f85fc9fcf7f65d059e7

  • SSDEEP

    393216:KYd9oOoUptPemm5HCizqg+o1sg1t6u14FBmqXiW2wcpIZSFH+fbYdUvCAhZ:pdnh/Ge41L1th15qIT41fsdU6m

Score
10/10
loaderbotxmrigloaderminerpersistence

Malware Config

Targets

    • Target

      W1nnerFree CS2.exe

    • Size

      21.4MB

    • MD5

      7494cccce30350832ac77113f3cf28d8

    • SHA1

      ffba86775e5dc0a12957249e5f2d1c48bb1c58f0

    • SHA256

      0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6

    • SHA512

      94550c34c2887ca3227bfc559eeb2806bdd189b31bd866facbc5ed22ff2f6dc89684b268aa22a36c1b6a062deb2db6545d4e1b021a572f85fc9fcf7f65d059e7

    • SSDEEP

      393216:KYd9oOoUptPemm5HCizqg+o1sg1t6u14FBmqXiW2wcpIZSFH+fbYdUvCAhZ:pdnh/Ge41L1th15qIT41fsdU6m

    Score
    10/10
    loaderbotxmrigloaderminerpersistence

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      $1/1337/ExLoader_Installer.exe

    • Size

      19.8MB

    • MD5

      afcb0e5c7c35c05970a74a1aab5fe12e

    • SHA1

      42eacb7a9594ee0a6242d3bc3c33b6c60b3fc319

    • SHA256

      f1e92828ebf9e2443f36c03a5a66a4fba4bd8744ecf5bbf59fc69c84d7a95d18

    • SHA512

      fe62d4b1ec93a21a7b1f80e5f42b17c0c43d794b99e7e87fb6fea86d82ac080d76dcf9a3e96516303ccaf88b8101523a23f5b7f560bd3f4bb2745ac1f71b4dfb

    • SSDEEP

      393216:QuTOvTuAnHmMgEMSb6qLdTcmtgt+BDMncawXAKaVnayxZtFDtq:dUTPGMzpbpT8+BInf46VnvHrJq

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral3behavioral4

    • Target

      $1/1337/MinerMega.exe

    • Size

      4.0MB

    • MD5

      d1f8ccf271359d1d1840075b3065cdaa

    • SHA1

      5b316201fb5d9705e20398ded7d0441962e2b183

    • SHA256

      5817eb190e2adfb6b1a8488df5e83cda619969a4ea5cccca282a348ef35d09ad

    • SHA512

      5fb53f967b940f76b9c98d09773bea69c6ccbfd2469b9eb64868042f2ee56860d8a000b469ce941a2241adbe261ace43273c9a6cef9821ff6eabeb8f63b81e07

    • SSDEEP

      49152:ENDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:SzP88fBsnZTgOtqB3m1RC3

    Score
    10/10
    loaderbotxmrigloaderminerpersistence

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      2ae993a2ffec0c137eb51c8832691bcb

    • SHA1

      98e0b37b7c14890f8a599f35678af5e9435906e1

    • SHA256

      681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

    • SHA512

      2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

    • SSDEEP

      192:vPtkumJX7zB22kGwfy0mtVgkCPOsE1un:k702k5qpdsEQn

    Score
    3/10
    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

6
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks