General

  • Target

    RBXIDLE.Setup.3.0.0.exe

  • Size

    144.1MB

  • Sample

    241117-twm8tayjdm

  • MD5

    f7cd23293d037af068d7b4552f8bcee3

  • SHA1

    32485a4bb72cb1646a3028836378015cbcde2180

  • SHA256

    6d567d0959ae8c664714535ee960910c49e5f61971858fa396e9edb19688c1b3

  • SHA512

    f31091dd3f6c86e39fd861e35a5213ce9fcec676a8e7f33abb71fb8c48a5ca648127bf07ecfe249aaa9e039281689b789407340f4c7476a6f1bfb721b63978aa

  • SSDEEP

    3145728:JPFNsCo0L7fiLGL5n6PT6Lr0UOkyJQweGopgu9CzxxNEQFSvyrzkfC0T6:1FN4SUu0UOkyJQp7pH9krNQvYgfw

Malware Config

Targets

    • Target

      RBXIDLE.Setup.3.0.0.exe

    • Size

      144.1MB

    • MD5

      f7cd23293d037af068d7b4552f8bcee3

    • SHA1

      32485a4bb72cb1646a3028836378015cbcde2180

    • SHA256

      6d567d0959ae8c664714535ee960910c49e5f61971858fa396e9edb19688c1b3

    • SHA512

      f31091dd3f6c86e39fd861e35a5213ce9fcec676a8e7f33abb71fb8c48a5ca648127bf07ecfe249aaa9e039281689b789407340f4c7476a6f1bfb721b63978aa

    • SSDEEP

      3145728:JPFNsCo0L7fiLGL5n6PT6Lr0UOkyJQweGopgu9CzxxNEQFSvyrzkfC0T6:1FN4SUu0UOkyJQp7pH9krNQvYgfw

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Target

      $PLUGINSDIR/SpiderBanner.dll

    • Size

      9KB

    • MD5

      17309e33b596ba3a5693b4d3e85cf8d7

    • SHA1

      7d361836cf53df42021c7f2b148aec9458818c01

    • SHA256

      996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

    • SHA512

      1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

    • SSDEEP

      192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY

    Score
    3/10
    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    • Target

      $PLUGINSDIR/WinShell.dll

    • Size

      3KB

    • MD5

      1cc7c37b7e0c8cd8bf04b6cc283e1e56

    • SHA1

      0b9519763be6625bd5abce175dcc59c96d100d4c

    • SHA256

      9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    • SHA512

      7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

    Score
    3/10
    • Target

      LICENSES.chromium.html

    • Size

      5.2MB

    • MD5

      27206d29e7a2d80ee16f7f02ee89fb0f

    • SHA1

      3cf857751158907166f87ed03f74b40621e883ef

    • SHA256

      2282bc8fe1798971d5726d2138eda308244fa713f0061534b8d9fbe9453d59ab

    • SHA512

      390c490f7ff6337ee701bd7fc866354ef1b821d490c54648459c382ba63c1e8c92229e1b089a3bd0b701042b7fa9c6d2431079fd263e2d6754523fce200840e2

    • SSDEEP

      12288:/7etnqnVnMnBnunQ9RBvjYJEi400/Q599b769B9UOE6MwMGucMEbHDuX0YnpWQZO:sFEc5FeWSPZza8yUMmfSHCHWJ4pps

    Score
    3/10
    • Target

      RBXIDLE.exe

    • Size

      134.1MB

    • MD5

      92d241ee2322192f628a7c0ca5c48f48

    • SHA1

      60e19cb221c868c750601ecaf88309dcad32d886

    • SHA256

      93d3e9ee4cca55a9287418e12eba8929bc471aa37ec213147f7bd8dc0896f98f

    • SHA512

      8ff9dd69f699d7d538b12e03564a04d1f31aaabc00cf2895a33bd8edf6e7864f888dd065c74ea6de9376da96a44c566b1b59d328c6e7c9dbc91ff03cfee3e75c

    • SSDEEP

      1572864:UUIbvHBgU0Tj91hRhmsMj9ZcZW0SUqDQ:UcUw+AGE

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Loads dropped DLL

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Target

      resources/app.asar.unpacked/node_modules/node-windows/bin/elevate/elevate.cmd

    • Size

      80B

    • MD5

      6bf15504007e72e8fd4d069962bb6bb1

    • SHA1

      2962bc672541698e23d97b2c9b4d67726662d2df

    • SHA256

      d3d046aa4e54c8e1aafdb95b0d65aa73731a7fa76df3bd582c26244dcebb97eb

    • SHA512

      8905d00be73d651bc3537f7fb441d84874aac8497da3da474bb1f3d71c688372aafbc1ce078024832369907494fd9990d362fcd7e58717278d13be5f2a67f142

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/node-windows/bin/elevate/elevate.vbs

    • Size

      334B

    • MD5

      e5103df4ae6351428735d9c7e8f1a8cd

    • SHA1

      0fdd4a6bd924c0fff1c0f9b95c6120f3271b4026

    • SHA256

      f7ab6e0f5ce0b0da4169083f6d8832dbe4ead414ae1f450fc75f873490c00b7f

    • SHA512

      e876664e37b90662c017f3092e96a832004e73a7773cab97f61e531f69b96a2848720223e29307c56eb688804327f05fe93cbf38d0d0cc803af6a06952cfc9d1

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/node-windows/bin/sudowin/Sudowin.Common.dll

    • Size

      20KB

    • MD5

      71a3ccef13df30b88d681714fe0386fa

    • SHA1

      e717d0d9890f11f15e5f4ff62d91b43a188760e2

    • SHA256

      ab3f0d95abc0041c4413a52f42447d4a49f2f09b746b78c297449880206cb844

    • SHA512

      60f65d428dbc560dcfff5218dcc938a8a3f5a723c6017277f2dbf5ca0fc9c1ccd551ead227831a5dc4c251d8da30737149d49d86b8fede3b933e4da69328d450

    • SSDEEP

      96:hDFBwPfHy3S2xncBrtx9WQN8m2sam8vnC8DKnDvaqYqiVaVYZ3lkb1qqAKiVu4Jh:K/QWtzWfmhKC8ODvaXdVaV4+pz4/y

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/node-windows/bin/sudowin/sudo.exe

    • Size

      20KB

    • MD5

      98cfa945795d9185d64518a8b7ab38bf

    • SHA1

      64de54cd41ab3be000406785ec9f1ff9bac8f57f

    • SHA256

      922754cfe2c6cfe1dceeaedb74fc00367e9613afd0ad8c9e42ec80a81d04d49b

    • SHA512

      12a0d9af0c4c43804f6c244ca3b212a5ff3c694d990b9336a922975bba1a0f31b9e06fb1934bc9a4164c7d090f796ae9c62cc670e9fc4021d7e7eeaaa0641932

    • SSDEEP

      96:74RH/g8jFSw6euTpHAvybfxFa/zn+UwuVA8rTskEn1W1WuZB5MYYd2J1ltgQbFgB:74RTFv69UyLa6UXTizY0Qbu

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/node-windows/bin/winsw/winsw.exe

    • Size

      58KB

    • MD5

      e0eef2861571b63a45ee59d802ccfa8c

    • SHA1

      f6fd98de7e17971be2a8eec4aa89e70bb26d1b7e

    • SHA256

      5859b114d96800a2b98ef9d19eaa573a786a422dad324547ef25be181389df01

    • SHA512

      10164a85ac67e7b481be5f0abe7734dd27252fdd7ecb7855423cae230cc1c54ce8652e85f2571050ccfd50975a2c53db74185031b551ef2c46ceba8b4cef0553

    • SSDEEP

      768:dbLoXR9wSKYrHLHYrvL7yUUeUdfKTwEsWQFNMDmtUG0pb4Pe:dAXR9wSK6b8j2UUNCTSWQFsGwb4Pe

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/node-windows/lib/binaries.js

    • Size

      2KB

    • MD5

      ac96898f4bd4aea3e3715a772c2c544e

    • SHA1

      d5f63220b5bf777028441e50dbc09811ca08c71d

    • SHA256

      a5b358388413c68f8a4c649fdb8e50c52c443bec19a792678011da72c323c1db

    • SHA512

      23299ab747fd15ad86986d96bd2dd4ae0111d1db8c98460bb28c4085d6b8701de83368f8d5142c1d988e8eb1d2b0ae30965799f63ea8e198ddac130a32d7d3ec

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/node-windows/lib/cmd.js

    • Size

      2KB

    • MD5

      dcfc8a89f25bdd54fe00476d5c66c669

    • SHA1

      696d36e2904176a3ca7d13555762068829651b5e

    • SHA256

      3886e90275c107043768d5713dbb522a622a6cbbc6bd7d240bab126c459ec576

    • SHA512

      8c588dec102b587a23a338f25dc435f71ce34964af844174414a73836128a3467a86dfef2e7cacf177422099b0750dd94168b48cc39f62244e17c25dc26afb71

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/node-windows/lib/daemon.js

    • Size

      24KB

    • MD5

      6149760c1dd670fd1cdd7592326199c9

    • SHA1

      be413fdcf6a89985119ac2549034981d7f055af6

    • SHA256

      56c2e2d712ed2f692255cd8a15328d32ca3b877b91130cd83ec5f46235513cb1

    • SHA512

      c6975004281ff434200377c7c9f9198182c20771cbea4ba2e81a9e8c9bdbc6c03f87a0e64474cb8f04a1682d86086625343ac0b0dd559f57e6685cd413dce8c6

    • SSDEEP

      768:0WQLaL6CNTPPT1THTKT7GTneKKTiToVDTeLJ+JGrpTmT0n4CquTqcLs/FLuLGpYp:0WQLaL6CNTPPT1THTKT6T4TiT6TeLJ+0

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/node-windows/lib/eventlog.js

    • Size

      6KB

    • MD5

      0fc62adc34dc81a5f9fc3a298aa78eaf

    • SHA1

      4b79d9a54bfa5e4d37c251ef70bd3b81cb3e5d81

    • SHA256

      ac0eab52e15690398c630200e7000a1d291a863bca9709456f27b92c11cd81de

    • SHA512

      02700df4c79c715849b4ee7fcdbc48e1dee7d5b96131af3f627fac55619e094a687d1e50d4efdb55ab471085848e44caf2d3d50da988a5dc5abecbd7c0967eba

    • SSDEEP

      192:HeTm/XkXoiMQDtYnLSwyaXW+Y4LImWqYcyWKYuZDWsY6YW/Y/jg:HGsUSQZYnLt7/YSdpYJ3YGDNY3yYLg

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

vmprotectminerxmrig
Score
10/10

behavioral1

defense_evasiondiscoveryexecution
Score
8/10

behavioral2

defense_evasiondiscoveryexecutionpersistenceprivilege_escalation
Score
8/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

defense_evasiondiscoveryexecution
Score
8/10

behavioral14

defense_evasiondiscoveryexecutionpersistenceprivilege_escalation
Score
8/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

execution
Score
3/10

behavioral26

execution
Score
3/10

behavioral27

execution
Score
3/10

behavioral28

execution
Score
3/10

behavioral29

execution
Score
3/10

behavioral30

execution
Score
3/10

behavioral31

execution
Score
3/10

behavioral32

execution
Score
3/10