MAR-10382254.r1.v1: XMRIG Cryptominer
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
cisa
2022-06-03T15:14:20-04:00
BMachine
134
7.1.0
hmsvc.exe
720384
PE32+ executable (GUI) x86-64, for MS Windows
MD5
df81145680b4deab198d9bba091d86e9
SHA1
4235d9a934d26ec688c21e3fc2e470178b7b3c21
SHA256
6589a687e69a182e075f11805a755ac1fabbddae1636c6fea8e80e7414521349
SHA512
de5e8164f58120e624e0546518b5c0c5df864baa9b389162f1be75547e6f684ee94f9df5738cdcf5065dd7bfcd6481c6ea45f4c1ff154edb4e0ad48ea5260d42
SSDEEP
12288:g5eggD3QpKCvO5yPPGtjLFanfI2YAMinlQZUub+RdYhawaGFbhwydP76N5:ceHD3eKU+tVafVgKlQZUlRdYVdP76N5
7.623341
7
2016-06-12 12:53:34-04:00
1024
MD5
e16f93c6b1a062a1dc2156fc770594a6
2.888609
Sysinternals - www.sysinternals.com
Lists logon session information
1.4
LogonSessions
Copyright (C) 2004-2016 Mark Russinovich
logonsessions.exe
Sysinternals LogonSessions
1.4
.text
89088
6.36696
MD5
c4466c75f41681629fc2ead156f8de84
.rdata
65536
4.425938
MD5
4d9a0bcd9467b5aaee5d4d762219821b
.data
6656
3.054858
MD5
f80417eeab656641c6a5206454b398d3
.pdata
5120
4.855993
MD5
e0d2510e666231c532ff97edf51abd10
.rsrc
550912
7.914631
MD5
fff7f8f7be38486e0a6d01bc0472a6f2
.reloc
2048
4.939573
MD5
bca539afcd691a4a238b78fc830dc55a
Connected_To
658_dump_64.exe
491520
PE32+ executable (console) x86-64, for MS Windows
MD5
f9e6ca0bdaa43df9ed0449b964e1b8b4
SHA1
24b983856dfdd4e48eeeafc9372b70d6b53ae722
SHA256
6e3840f11aa02f391edd7e3e65b214f1af128fa207b4feb7f69e438014a2206d
SHA512
5b8bfe6f043cd6e0ee6ac6665e95751c5369ec171050497122533302f2d7f5f5b7a4a23c70618f396bd52b4ec919ff2214cc2641a0e46607707d3d393fd105eb
SSDEEP
6144:F4ph6Duxm/k+DesM/uZwZLmixJwxbgaEvUhN8/bSJ40+R833OutenWRaMt:F4b6DV/k+D3MWZFXgJvBX/b0
Microsoft Visual C++ 8.0 (DLL)
6.058119
7
2022-02-21 19:02:06-05:00
4096
MD5
60df3f67c31781bbec2444de6daf8a2b
0.893865
.text
327680
6.393378
MD5
9ebe1be469e63ff47601b0c714285509
.rdata
110592
4.552154
MD5
1cb5bcc8bcade2b3ddee4dc6c617824a
.data
20480
3.781076
MD5
e89305f8c6e571d82fb370f352192aa2
.pdata
20480
5.309842
MD5
ca8c03d7af637fa213b44d065c073c75
_RDATA
4096
0.256806
MD5
bab9a0fee3d912c3b866d3ca88b47510
.reloc
4096
4.894447
MD5
9a68c3f572ae2b201926c193eeed1cab
Characterized_By
Characterized_By
Characterized_By
Figure 1
Figure 2
Figure 3
192.95.20.8
Connected_From
Related_To
Related_To
443
TCP
Queried whois.ovh.com with "ip-192-95-20.net"...
Domain Name: ip-192-95-20.net
Registry Domain ID: 1765585340_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.ovh.com
Registrar URL: https://www.ovh.com
Updated Date: 2021-12-01T02:56:46.0Z
Creation Date: 2012-12-11T13:59:05.0Z
Registrar Registration Expiration Date: 2022-12-11T13:59:05.0Z
Registrar: OVH, SAS
Registrar IANA ID: 433
Registrar Abuse Contact Email: abuse@ovh.net
Registrar Abuse Contact Phone: +33.972101007
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Hebergement OVH Inc.
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province:
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: CA
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Registrant Email: 45oplxny9ljiuizg7k3l@w.o-w-o.info
Registry Admin ID:
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Admin Email: t0xyeloj2uxkh9uyhhjh@y.o-w-o.info
Registry Tech ID:
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Send message to contact by visiting https://www.ovhcloud.com/en/lp/request-ovhcloud-registered-domain/
Tech Email: t0xyeloj2uxkh9uyhhjh@y.o-w-o.info
Name Server: dns10.ovh.ca
Name Server: ns10.ovh.ca
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
CISA_Consolidated.yara: CISA_10382580_03
Malware Artifacts
MD5
df81145680b4deab198d9bba091d86e9
SHA1
4235d9a934d26ec688c21e3fc2e470178b7b3c21
SHA256
6589a687e69a182e075f11805a755ac1fabbddae1636c6fea8e80e7414521349
NCCIC
http://plusvic.github.io/yara/
NCCIC
2022-06-06T18:27:18+00:00
CISA_Consolidated.yara: CISA_10382580_01
Malware Artifacts
MD5
f9e6ca0bdaa43df9ed0449b964e1b8b4
SHA1
24b983856dfdd4e48eeeafc9372b70d6b53ae722
SHA256
6e3840f11aa02f391edd7e3e65b214f1af128fa207b4feb7f69e438014a2206d
NCCIC
http://plusvic.github.io/yara/
NCCIC
2022-06-06T18:27:18+00:00
Malicious IP
IP Watchlist
192.95.20.8
NCCIC
2022-06-06T18:27:18+00:00
MAEC Characterization of df81145680b4deab198d9bba091d86e9
Bitdefender
Gen:Variant.Ulise.345018
IKARUS
Trojan.Win64.Injector
AhnLab
Trojan/Win.Generic
Emsisoft
Gen:Variant.Ulise.345018 (B)
Avira
HEUR/AGEN.1248665
ESET
a variant of Win64/Injector.HA.gen trojan
Adaware
Gen:Variant.Ulise.345018
trojan
MAEC Characterization of f9e6ca0bdaa43df9ed0449b964e1b8b4
AhnLab
Trojan/Win.PWS
ESET
a variant of Win64/Spy.Agent.EA trojan
remote-access-trojan
command-and-control
10382254.r1.v1
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected