xmrig.exe

First submission 2024-09-22 21:29:08 Last sumbission 2024-10-15 17:59:07

File details

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Mime type:	application/x-dosexec
File size:	2913.5 KB (2983424 bytes)
Compile time:	2024-08-11 20:18:04
MD5:	43f595460b2fca77561c63e8a80178dd
SHA1:	ce644189a561c6a2a6f6f6656fc6a46e006d1d87
SHA256:	7dc50338d476cd0dfdfcf48dc7dbff682d6d04458c6ce2808f35779606576532
Import Hash :	17fb7e76da9d0e277bd22cf9f3d5242c
Sections 3	UPX0 UPX1 .rsrc
Directories 4	import resource tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	52/77 VT report date: 2024-09-21 11:56:46
Malware Type 3	miner pua trojan
Threat Type 2	xmrig ib24

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://209.141.51.21/xmrig.exe	209.141.51.21	2024-10-15 17:59:11

PE Sections 2 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
UPX0	0x1000	0x969000	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
UPX1	0x96a000	0x2d3000	2957824	1cfc87e070b6fe19a1741cb234baf884ab46ce04	79818e13c8fe33436eed719f15dd3e73
.rsrc	0xc3d000	0x7000	25088	f75599eb8b3b7d5f178fa64ebba1643a88f1c9dd	e9083890ed2a3b1f86a59ae5bebb0a4f

PE Resources 4

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xc4211c	1128	PE Resource: RT_ICON - Data ( @vwwvqqqVWWVWWVWWVWWqqqvwwveee#lmmVWWVWWVWWVWWVWWVWWVWWVWWlmmeee#eee#_``VWWVWWVWWVWWVWWVWWVWWVWWVWWVWW_``eee#VWWVWWVWWVWWVWWVWWVWWVWWVWWVWWVWWVWWVWWVWW$VWWVWW$>gg`aaggggg>gggg6yggggggggggD~ggg'pggggggg'pSggg'pggggg'pggDSg>gga~Dgggggg>EvgSggSgggggEv8{S6ygggogggg8{.t#&ogggggggggg&o.t#.t#8{gggggggg8{.t#Ev>gggg>Ev
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xc42588	62
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xc425cc	652	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO?StringFileInfo000004b0<CompanyNamewww.xmrig.com@FileDescriptionXMRig miner.FileVersion6.22.0h"LegalCopyrightCopyright (C) 2016-2024 xmrig.com< OriginalFilenamexmrig.exe,ProductNameXMRig2ProductVersion6.22.0DVarFileInfo$Translation
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xc4285c	1167	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates application support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates application support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!--The ID below indicates application support for Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!--The ID below indicates application support for Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>

Meta infos 8

LegalCopyright:	Copyright (C) 2016-2024 xmrig.com
ProductVersion:	6.22.0
CompanyName:	www.xmrig.com
FileVersion:	6.22.0
FileDescription:	XMRig miner
Translation:	0x0000 0x04b0
OriginalFilename:	xmrig.exe
ProductName:	XMRig

Strings analysis - File found

Library
ADVAPI32.dll
dbghelp.dll
USER32.dll
KERNEL32.dll
IPHLPAPI.DLL
SHELL32.dll
MSVCRT.dll
ole32.dll
Crypt32.dll
USERENV.dll
WS2_32.dll

Import functions

dbghelp.dll 1 IPHLPAPI.DLL 1 CRYPT32.dll 1 SHELL32.dll 1 KERNEL32.DLL 4 msvcrt.dll 1 ADVAPI32.dll 1 ole32.dll 1 WS2_32.dll 1 USER32.dll 1 USERENV.dll 1

Function	Address	Souspicious	Anti Debug
SymGetOptions	0x140c42dfc

Function	Address	Souspicious	Anti Debug
GetAdaptersAddresses	0x140c42e0c

Function	Address	Souspicious	Anti Debug
CertOpenStore	0x140c42dec

Function	Address	Souspicious	Anti Debug
SHGetKnownFolderPath	0x140c42e64

Function	Address	Souspicious	Anti Debug
LoadLibraryA	0x140c42e1c
ExitProcess	0x140c42e24
GetProcAddress	0x140c42e2c
VirtualProtect	0x140c42e34

Function	Address	Souspicious	Anti Debug
atof	0x140c42e44

Function	Address	Souspicious	Anti Debug
FreeSid	0x140c42ddc

Function	Address	Souspicious	Anti Debug
CoTaskMemFree	0x140c42e54

Function	Address	Souspicious	Anti Debug
bind	0x140c42e94

Function	Address	Souspicious	Anti Debug
ShowWindow	0x140c42e74

Function	Address	Souspicious	Anti Debug
GetUserProfileDirectoryW	0x140c42e84