General

  • Target

    RBXIDLE.Setup.3.0.0.exe

  • Size

    144.1MB

  • Sample

    241107-zqx4qaydkn

  • MD5

    f7cd23293d037af068d7b4552f8bcee3

  • SHA1

    32485a4bb72cb1646a3028836378015cbcde2180

  • SHA256

    6d567d0959ae8c664714535ee960910c49e5f61971858fa396e9edb19688c1b3

  • SHA512

    f31091dd3f6c86e39fd861e35a5213ce9fcec676a8e7f33abb71fb8c48a5ca648127bf07ecfe249aaa9e039281689b789407340f4c7476a6f1bfb721b63978aa

  • SSDEEP

    3145728:JPFNsCo0L7fiLGL5n6PT6Lr0UOkyJQweGopgu9CzxxNEQFSvyrzkfC0T6:1FN4SUu0UOkyJQp7pH9krNQvYgfw

Malware Config

Targets

    • Target

      RBXIDLE.Setup.3.0.0.exe

    • Size

      144.1MB

    • MD5

      f7cd23293d037af068d7b4552f8bcee3

    • SHA1

      32485a4bb72cb1646a3028836378015cbcde2180

    • SHA256

      6d567d0959ae8c664714535ee960910c49e5f61971858fa396e9edb19688c1b3

    • SHA512

      f31091dd3f6c86e39fd861e35a5213ce9fcec676a8e7f33abb71fb8c48a5ca648127bf07ecfe249aaa9e039281689b789407340f4c7476a6f1bfb721b63978aa

    • SSDEEP

      3145728:JPFNsCo0L7fiLGL5n6PT6Lr0UOkyJQweGopgu9CzxxNEQFSvyrzkfC0T6:1FN4SUu0UOkyJQp7pH9krNQvYgfw

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v15

Tasks