xmrig | e9397b42b5c3f7770b873a76355bd59cbe097f30dc9b9349e9787832bbe9767a | Triage

Submit
Reports

Overview

overview

Static

static

3

RblxExecutor.exe

windows10-2004-x64

Sharing

General

Target

RblxExecutor.exe
Size

1.6MB
Sample

240522-n63tcsgb3s
MD5

3a235f7f491d95d4727320239c0b4cb7
SHA1

b66d02b69f9d2cf011164406c6bc93a6728a65eb
SHA256

e9397b42b5c3f7770b873a76355bd59cbe097f30dc9b9349e9787832bbe9767a
SHA512

fa40f2d94bbe25372fc5eecb87168c3a55fb3fff1486ebd57d1f944760b43cc77a891fdbc246d5379e02b88b7f4f6abea0c94162e88ff87cabd246c7d8a5d83b
SSDEEP

24576:O83AQ99hyIMVdMJgsIX3b9M5Mm2f+qnbyy3q3PIMPKgPe8CWZoPJRMyoE:OWAE9AInJfF8dbRiteGmJKy

Score

10^/10

xmrig xworm evasion execution miner rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

RblxExecutor.exe

Resource

win10v2004-20240508-en

xmrig xworm evasion execution miner rat trojan

windows10-2004-x64

21 signatures

300 seconds

Malware Config

Extracted

Family

xworm

C2

185.196.8.135:7000

Attributes

install_file
USB.exe

Targets

- Target
  
  RblxExecutor.exe
- Size
  
  1.6MB
- MD5
  
  3a235f7f491d95d4727320239c0b4cb7
- SHA1
  
  b66d02b69f9d2cf011164406c6bc93a6728a65eb
- SHA256
  
  e9397b42b5c3f7770b873a76355bd59cbe097f30dc9b9349e9787832bbe9767a
- SHA512
  
  fa40f2d94bbe25372fc5eecb87168c3a55fb3fff1486ebd57d1f944760b43cc77a891fdbc246d5379e02b88b7f4f6abea0c94162e88ff87cabd246c7d8a5d83b
- SSDEEP
  
  24576:O83AQ99hyIMVdMJgsIX3b9M5Mm2f+qnbyy3q3PIMPKgPe8CWZoPJRMyoE:OWAE9AInJfF8dbRiteGmJKy
Score

10^/10

xmrig xworm evasion execution miner rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VirtualBox drivers on disk
  evasion
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Looks for VMWare drivers on disk
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

File and Directory Discovery

Process Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xmrigxwormevasionexecutionminerrattrojan

© 2018-2024

Terms | Privacy