General

  • Target

    Silent Crypto Miner.exe

  • Size

    102.3MB

  • Sample

    241113-mcj9gszgnl

  • MD5

    1e6abea24496d10732c03e0fe4b5caf3

  • SHA1

    20a6fb829da6e8bddd199295605973a72b96dfb0

  • SHA256

    e942cf802fd110c9292bad85b0304c829e8c6a6ce77849b257745e1e49889de6

  • SHA512

    e2c61e1cb39a55e09ef47ec6b028b2c9d7ab6b65d57bdc5cb6516d0543168951a094779f840218a59dc421fd6b86c17f03a59798f929b5e349395add72a9baaa

  • SSDEEP

    1572864:1bNWZfPno69sYe8LGxVjteAE3KS16kmmjcundHxGyD9jI44uJkfSpBWGM:1pwoGZGxVpehndjzdHxr9M4wOBx

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    in0c3nt

  • antivm

    false

  • c2_url

    https://paste.fo/raw/7ad53c7a1aa4

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    SysConfig.exe

  • main_folder

    UserProfile

  • pin_spread

    false

  • sub_folder

    \System Configurations\

  • usb_spread

    false

Extracted

Family

xworm

Version

5.0

C2

catcheyou.ooguy.com:34611

connectedto.mywire.org:34611

Attributes
  • install_file

    game.exe

aes.plain

Targets

    • Target

      Silent Crypto Miner.exe

    • Size

      102.3MB

    • MD5

      1e6abea24496d10732c03e0fe4b5caf3

    • SHA1

      20a6fb829da6e8bddd199295605973a72b96dfb0

    • SHA256

      e942cf802fd110c9292bad85b0304c829e8c6a6ce77849b257745e1e49889de6

    • SHA512

      e2c61e1cb39a55e09ef47ec6b028b2c9d7ab6b65d57bdc5cb6516d0543168951a094779f840218a59dc421fd6b86c17f03a59798f929b5e349395add72a9baaa

    • SSDEEP

      1572864:1bNWZfPno69sYe8LGxVjteAE3KS16kmmjcundHxGyD9jI44uJkfSpBWGM:1pwoGZGxVpehndjzdHxr9M4wOBx

    • Detect Xworm Payload

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Limerat family

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks