Overview

overview

10

Static

static

3

OpenAL.exe

windows7-x64

10

OpenAL.exe

windows10-2004-x64

10

viaversion.exe

windows7-x64

10

viaversion.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.rar

  • Size

    2.3MB

  • Sample

    240309-wezavsdh76

  • MD5

    1077faf19b1ccf5a1521b2a9db96c511

  • SHA1

    f4323b993e615bd833fd1f06ba5218c88e8ff48f

  • SHA256

    c7d57685be2f2275c7e77ea9f3dee605f580391f2ab221de836d5b6956fb0fcd

  • SHA512

    0e64594764ad0d873c36fa997253b889b59e940d8d977cf448b9ca099bdfefe0e0d93894ec9f87149bd36d4c08b6cc8319ea8681ea362d775b82f573a032ab0d

  • SSDEEP

    49152:6m2S0OL9/48IvX1qnsd7NPYx0dacgd4UXt74hTboQIVtrgaTYE:793LkXYqNAQacCXtkNaJzTYE

Score
10/10
phemedronexmrigevasionminerpersistencespywarestealerupx

Malware Config

Targets

    • Target

      OpenAL.exe

    • Size

      468KB

    • MD5

      2a64a52ee5850a6710968ce44f25fb97

    • SHA1

      8abd31cc5de9a4f573c4f178fa6d9dff2ba1aec0

    • SHA256

      0cef1720e338870cfd693376e15831c49b0b747bac01587c030263892135bc9d

    • SHA512

      e4c0346d6b967c9fc3ec38e05765f6e45ea3de78f04cbb92d4a083dadc831b45563272b5ca7583e06c6033f72fe559f1bf20cda8dbcdd1e4a19840284344ec09

    • SSDEEP

      6144:zJj49VfrMbrSdycu8eWLQstXzg+uG1QdIEeoUaYf8wNH:zJj49VQbkeWL/+2oUaYkw5

    Score
    10/10
    phemedronespywarestealer

    • Phemedrone

      An information and wallet stealer written in C#.

      stealerphemedrone

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      viaversion.exe

    • Size

      2.1MB

    • MD5

      20bee5b90d788cc5780b0ccbeb25a817

    • SHA1

      3ae1c0684105f2c8c0d5e12c29e982dc6c0d0560

    • SHA256

      83be40cbcf7e33332f513a7e46895cb844c94f1d53e519e4fc8846752ba8e330

    • SHA512

      5dfb425babafa5c851895dc918dca45c762205fcfd629ce113c29024ffe4401da2f69427f4a190cecf9707a365b54f382c7dcdd4777eaff9a991281e73a1f756

    • SSDEEP

      49152:lAhQlVmgOoTPjsjaMvFF4MrCVkCr7f2RHhMLoYEJRxC:+cV/Oi42MdFyzrb4BMcYEZC

    Score
    10/10
    xmrigevasionminerpersistenceupx

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Creates new service(s)

      persistence

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks