xmrig

General

Target

FreeSpoofer.zip
Size

25.2MB
Sample

241111-3h1fnazbln
MD5

395ecd48037ecc8ecc9fe07b591787a3
SHA1

016e11a2dab3ed2d5b588d99d33ab9dfdb95d422
SHA256

2e29359adc345fbef1d0a2f082d441d600d9c616586303938609d025e8ac98fb
SHA512

91e7f21f78848f259d2f8e43593fbbf9333a6009690ef1574104e8b7e8e129c33be8f58b6fb9412aaa9fce3198e4ea710b91c196490e6ef1ff16185028da8f11
SSDEEP

393216:CNyP7ixYoewSbBkqSZKxZUwZWupZNNQ6Hi14ODNNEPc9OcQbhatuz85iq/pn8cr:2yP7ZLBkNoWufA6C14EXEOVQbD8WY

Score

10^/10

Malware Config

Targets

- Target
  
  FreeSpoofer/AppleCleaner [I DO NOT OWN IT].exe
- Size
  
  3.6MB
- MD5
  
  f96eb2236970fb3ea97101b923af4228
- SHA1
  
  e0eed80f1054acbf5389a7b8860a4503dd3e184a
- SHA256
  
  46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
- SHA512
  
  2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7
- SSDEEP
  
  98304:z7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6Ko:e+y4ihkl/Wo/afHPb
Score

9^/10

discovery evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  FreeSpoofer/Loader.exe
- Size
  
  26.4MB
- MD5
  
  aec49804a232eb45a7cf41e2dfef37fc
- SHA1
  
  5cedbd522c3c40305f6d656f57edf9b6a89d7e21
- SHA256
  
  deb7985a8f9a56f2dcbfdd4c5fa4732daad89ce82733818915f3a4e07c2d3b09
- SHA512
  
  ad9cf94db9a109e0f3a191169025c4f5ec86aca68937c373380dcb84c728b5817bf5e7bee8eea47b7cb82f5415234ab08a53f26030a5573d574477571f3a3d3d
- SSDEEP
  
  786432:pfjx8ZSLqcnnTNPefii+ydGI5mM3y9nEDQ:pfadJy9nQQ
Score

10^/10

xmrig discovery evasion execution miner persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Looks for VirtualBox Guest Additions in registry
  evasion
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral2