xmrig.exe

First submission 2024-10-14 23:33:04 Last sumbission 2024-10-17 08:22:04

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	6215.0 KB (6364160 bytes)
Compile time:	2024-08-11 20:16:41
MD5:	5fba8ae226b096da3b31de0e17496735
SHA1:	d532a01254cf9e0229d3c5803b78ff7c9b0cb8d3
SHA256:	ca28f4aeaa5e16d216cd828b67454a56f3c7feeb242412d26ed914fadff20d40
Import Hash :	12806e48b853545b536463546db4baa1
Sections 10	.text .rdata .data .pdata _RANDOMX _TEXT_CN _TEXT_CN _RDATA .rsrc .reloc
Directories 5	import resource debug tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	59/77 VT report date: 2024-10-14 09:23:32
Malware Type 3	miner trojan pua
Threat Type 3	bitminer vsntil24 xmrig

URLs, FQDN and IP indicators 2

URL	Host (FQDN/IP)	Date Added
hXXp://144.34.162.13/xmrig.exe	144.34.162.13	2024-10-17 08:22:10
hXXp://fish.hackbiji.cc/xmrig.exe	fish.hackbiji.cc	2024-10-14 23:33:04

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x41a478	4302336	8e907f8cdd0f129cef928a090d8a58561fd03afc	7bfa50ff80e175efdc3f63b945917ffd
.rdata	0x41c000	0x1a6e22	1732608	42194d00efaf19f259e8568816b7f39bb81e4943	45ad955dcfec3415d214ef4e759878b5
.data	0x5c3000	0x2af4d4	66048	7f818196ffd27ec2a931c518f3dcee71498343aa	21bcb66e26a5153208ee0e5b0674ac6a
.pdata	0x873000	0x2a528	173568	13493fdbca6ed08919103a701533a91ea857a0d0	3216f277e28eeb2a10e798f3c405f411
_RANDOMX	0x89e000	0xc56	3584	11bd5b6446d56158259a24b938f7c4959bd56e21	9ee63642b94966ecb630ee0843e46b26
_TEXT_CN	0x89f000	0x26d1	10240	91d62ae67c7e250650c5d785cffb0a794da2f085	afea7882aa31e5987db2f12b8933de56
_TEXT_CN	0x8a2000	0x1184	4608	4992a8b9c3e33a7f8659bd20066f907134f7c337	409bf3f918f2402291cb56c2e9354b47
_RDATA	0x8a4000	0xf4	512	01b502d92676cfa20dd538708d40786d1d4bc8a4	9e68fee697a3137ad662934ab8ec793e
.rsrc	0x8a5000	0x59c8	23040	d5a9514d367b9aadc371fc5c17de64bb4a03c2b7	7f3f3f5f465203df366d3144803e1e11
.reloc	0x8ab000	0xb5a0	46592	084c4db1a836b0eb982c191e08412c5bd677a158	2db71728c819782830a4bc6de4955950

PE Resources 4

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x8aa110	1128	PE Resource: RT_ICON - Data ( @vwwvqqqVWWVWWVWWVWWqqqvwwveee#lmmVWWVWWVWWVWWVWWVWWVWWVWWlmmeee#eee#_``VWWVWWVWWVWWVWWVWWVWWVWWVWWVWW_``eee#VWWVWWVWWVWWVWWVWWVWWVWWVWWVWWVWWVWWVWWVWW$VWWVWW$>gg`aaggggg>gggg6yggggggggggD~ggg'pggggggg'pSggg'pggggg'pggDSg>gga~Dgggggg>EvgSggSgggggEv8{S6ygggogggg8{.t#&ogggggggggg&o.t#.t#8{gggggggg8{.t#Ev>gggg>Ev
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x8aa578	62
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x8aa5b8	652	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO?StringFileInfo000004b0<CompanyNamewww.xmrig.com@FileDescriptionXMRig miner.FileVersion6.22.0h"LegalCopyrightCopyright (C) 2016-2024 xmrig.com< OriginalFilenamexmrig.exe,ProductNameXMRig2ProductVersion6.22.0DVarFileInfo$Translation
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x8aa848	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Meta infos 8

LegalCopyright:	Copyright (C) 2016-2024 xmrig.com
ProductVersion:	6.22.0
CompanyName:	www.xmrig.com
FileVersion:	6.22.0
FileDescription:	XMRig miner
Translation:	0x0000 0x04b0
OriginalFilename:	xmrig.exe
ProductName:	XMRig

Packers detected 2

Microsoft Visual C++ 8.0 (DLL)
Microsoft Visual C++ 8.0

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

Bochs & QEmu CPUID Trick

Strings analysis - File found

XML
topology.xml
Library
api-ms-win-core-synch-l1-2-0.dll
mscoree.dll
ntdll.dll
KERNEL32.dll
ADVAPI32.dll
SHELL32.dll
Powrprof.dll
USER32.dll
IPHLPAPI.DLL
atiadlxx.dll
opencl.dll
WS2_32.dll
xmrig-cuda.dll
%PROGRAMFILES%\NVIDIA Corporation\NVSMI\nvml.dll
USERENV.dll
nvml.dll
bcrypt.dll
ole32.dll
Crypt32.dll
%s.dll
PSAPI.DLL

Strings analysis - Possible IPs found 25

1.3.111.2
1.3.101.111
1.3.101.110
1.3.101.113
1.3.101.112
127.0.0.1
1.3.36.3
1.3.6.1
3.1.9.9
3.1.9.4
3.1.9.3
3.1.9.1
3.1.9.29
3.1.9.49
3.1.9.21
1.3.14.3
3.1.9.23
3.1.9.44
3.1.9.43
3.1.9.24
3.1.9.41
101.3.4.1
101.3.4.2
61.1.1.1
1.9.16.3

Strings analysis - Possible URLs found 5

http://
https://xmrig.com/wizard
https://xmrig.com/benchmark/%s
https://
https://xmrig.com/docs/algorithms

Import functions

bcrypt.dll 1 IPHLPAPI.DLL 1 CRYPT32.dll 7 ADVAPI32.dll 33 KERNEL32.dll 229 SHELL32.dll 1 ole32.dll 3 WS2_32.dll 36 USER32.dll 10 USERENV.dll 1

Function	Address	Souspicious	Anti Debug
BCryptGenRandom	0x14041ca30

Function	Address	Souspicious	Anti Debug
GetAdaptersAddresses	0x14041c150

Function	Address	Souspicious	Anti Debug
CertFreeCertificateContext	0x14041c110
CertFindCertificateInStore	0x14041c118
CertEnumCertificatesInStore	0x14041c120
CertCloseStore	0x14041c128
CertOpenStore	0x14041c130
CertGetCertificateContextProperty	0x14041c138
CertDuplicateCertificateContext	0x14041c140

Function	Address	Souspicious	Anti Debug
SystemFunction036	0x14041c000
GetUserNameW	0x14041c008
ReportEventW	0x14041c010
RegisterEventSourceW	0x14041c018
DeregisterEventSource	0x14041c020
CryptEnumProvidersW	0x14041c028
CryptSignHashW	0x14041c030
CryptDestroyHash	0x14041c038
CryptCreateHash	0x14041c040
CryptDecrypt	0x14041c048
CryptExportKey	0x14041c050
CryptGetUserKey	0x14041c058
CryptGetProvParam	0x14041c060
CryptSetHashParam	0x14041c068
CryptDestroyKey	0x14041c070
CryptReleaseContext	0x14041c078
CryptAcquireContextW	0x14041c080
CreateServiceW	0x14041c088
QueryServiceStatus	0x14041c090
CloseServiceHandle	0x14041c098
OpenSCManagerW	0x14041c0a0
QueryServiceConfigA	0x14041c0a8
DeleteService	0x14041c0b0
ControlService	0x14041c0b8
StartServiceW	0x14041c0c0
OpenServiceW	0x14041c0c8
LookupPrivilegeValueW	0x14041c0d0
AdjustTokenPrivileges	0x14041c0d8
OpenProcessToken	0x14041c0e0
LsaOpenPolicy	0x14041c0e8
LsaAddAccountRights	0x14041c0f0
LsaClose	0x14041c0f8
GetTokenInformation	0x14041c100

Function	Address	Souspicious	Anti Debug
GetStringTypeW	0x14041c160
InitializeCriticalSectionAndSpinCount	0x14041c168
WriteConsoleW	0x14041c170
SetConsoleTitleA	0x14041c178
GetStdHandle	0x14041c180
SetConsoleMode	0x14041c188
GetConsoleMode	0x14041c190
QueryPerformanceFrequency	0x14041c198
QueryPerformanceCounter	0x14041c1a0
SizeofResource	0x14041c1a8
LockResource	0x14041c1b0
LoadResource	0x14041c1b8
FindResourceW	0x14041c1c0
ExpandEnvironmentStringsA	0x14041c1c8
GetConsoleWindow	0x14041c1d0
GetSystemFirmwareTable	0x14041c1d8
HeapFree	0x14041c1e0
HeapAlloc	0x14041c1e8
GetProcessHeap	0x14041c1f0
MultiByteToWideChar	0x14041c1f8
SetPriorityClass	0x14041c200
GetCurrentProcess	0x14041c208
SetThreadPriority	0x14041c210
GetSystemPowerStatus	0x14041c218
GetCurrentThread	0x14041c220
GetProcAddress	0x14041c228
GetModuleHandleW	0x14041c230
GetTickCount	0x14041c238
CloseHandle	0x14041c240
FreeConsole	0x14041c248
VirtualProtect	0x14041c250
VirtualFree	0x14041c258
VirtualAlloc	0x14041c260
GetLargePageMinimum	0x14041c268
LocalAlloc	0x14041c270
GetLastError	0x14041c278
LocalFree	0x14041c280
FlushInstructionCache	0x14041c288
GetCurrentThreadId	0x14041c290
AddVectoredExceptionHandler	0x14041c298
DeviceIoControl	0x14041c2a0
GetModuleFileNameW	0x14041c2a8
CreateFileW	0x14041c2b0
SetLastError	0x14041c2b8
GetSystemTime	0x14041c2c0
SystemTimeToFileTime	0x14041c2c8
GetModuleHandleExW	0x14041c2d0
Sleep	0x14041c2d8
InitializeSRWLock	0x14041c2e0
ReleaseSRWLockExclusive	0x14041c2e8
ReleaseSRWLockShared	0x14041c2f0
AcquireSRWLockExclusive	0x14041c2f8
AcquireSRWLockShared	0x14041c300
TlsAlloc	0x14041c308
TlsGetValue	0x14041c310
TlsSetValue	0x14041c318
TlsFree	0x14041c320
GetSystemInfo	0x14041c328
SwitchToFiber	0x14041c330
DeleteFiber	0x14041c338
CreateFiberEx	0x14041c340
FindClose	0x14041c348
FindFirstFileW	0x14041c350
FindNextFileW	0x14041c358
WideCharToMultiByte	0x14041c360
GetSystemDirectoryA	0x14041c368
FreeLibrary	0x14041c370
LoadLibraryA	0x14041c378
FormatMessageA	0x14041c380
GetFileType	0x14041c388
WriteFile	0x14041c390
GetEnvironmentVariableW	0x14041c398
GetACP	0x14041c3a0
ConvertFiberToThread	0x14041c3a8
ConvertThreadToFiberEx	0x14041c3b0
GetCurrentProcessId	0x14041c3b8
GetSystemTimeAsFileTime	0x14041c3c0
LoadLibraryW	0x14041c3c8
ReadConsoleA	0x14041c3d0
ReadConsoleW	0x14041c3d8
PostQueuedCompletionStatus	0x14041c3e0
CreateFileA	0x14041c3e8
DuplicateHandle	0x14041c3f0
SetEvent	0x14041c3f8
ResetEvent	0x14041c400
WaitForSingleObject	0x14041c408
CreateEventA	0x14041c410
QueueUserWorkItem	0x14041c418
RegisterWaitForSingleObject	0x14041c420
UnregisterWait	0x14041c428
GetNumberOfConsoleInputEvents	0x14041c430
ReadConsoleInputW	0x14041c438
FillConsoleOutputCharacterW	0x14041c440
FillConsoleOutputAttribute	0x14041c448
GetConsoleCursorInfo	0x14041c450
SetConsoleCursorInfo	0x14041c458
GetConsoleScreenBufferInfo	0x14041c460
SetConsoleCursorPosition	0x14041c468
SetConsoleTextAttribute	0x14041c470
WriteConsoleInputW	0x14041c478
CreateDirectoryW	0x14041c480
FlushFileBuffers	0x14041c488
GetDiskFreeSpaceW	0x14041c490
GetFileAttributesW	0x14041c498
GetFileInformationByHandle	0x14041c4a0
CreateEventW	0x14041c4a8
RtlCaptureContext	0x14041c4b0
GetFullPathNameW	0x14041c4b8
ReadFile	0x14041c4c0
RemoveDirectoryW	0x14041c4c8
SetFilePointerEx	0x14041c4d0
SetFileTime	0x14041c4d8
MapViewOfFile	0x14041c4e0
FlushViewOfFile	0x14041c4e8
UnmapViewOfFile	0x14041c4f0
CreateFileMappingA	0x14041c4f8
ReOpenFile	0x14041c500
CopyFileW	0x14041c508
MoveFileExW	0x14041c510
CreateHardLinkW	0x14041c518
GetFileInformationByHandleEx	0x14041c520
CreateSymbolicLinkW	0x14041c528
InitializeCriticalSection	0x14041c530
EnterCriticalSection	0x14041c538
LeaveCriticalSection	0x14041c540
TryEnterCriticalSection	0x14041c548
DeleteCriticalSection	0x14041c550
InitializeConditionVariable	0x14041c558
WakeConditionVariable	0x14041c560
WakeAllConditionVariable	0x14041c568
SleepConditionVariableCS	0x14041c570
ReleaseSemaphore	0x14041c578
ResumeThread	0x14041c580
GetNativeSystemInfo	0x14041c588
GetProcessAffinityMask	0x14041c590
SetThreadAffinityMask	0x14041c598
CreateSemaphoreA	0x14041c5a0
SetConsoleCtrlHandler	0x14041c5a8
GetCurrentDirectoryW	0x14041c5b0
GetLongPathNameW	0x14041c5b8
RtlUnwind	0x14041c5c0
CreateIoCompletionPort	0x14041c5c8
ReadDirectoryChangesW	0x14041c5d0
GetEnvironmentStringsW	0x14041c5d8
FreeEnvironmentStringsW	0x14041c5e0
SetEnvironmentVariableW	0x14041c5e8
SetCurrentDirectoryW	0x14041c5f0
GetTempPathW	0x14041c5f8
GlobalMemoryStatusEx	0x14041c600
FileTimeToSystemTime	0x14041c608
K32GetProcessMemoryInfo	0x14041c610
SetHandleInformation	0x14041c618
CancelIoEx	0x14041c620
CancelIo	0x14041c628
SwitchToThread	0x14041c630
SetFileCompletionNotificationModes	0x14041c638
LoadLibraryExW	0x14041c640
SetErrorMode	0x14041c648
GetQueuedCompletionStatus	0x14041c650
ConnectNamedPipe	0x14041c658
SetNamedPipeHandleState	0x14041c660
PeekNamedPipe	0x14041c668
CreateNamedPipeW	0x14041c670
CancelSynchronousIo	0x14041c678
GetNamedPipeHandleStateA	0x14041c680
GetNamedPipeClientProcessId	0x14041c688
GetNamedPipeServerProcessId	0x14041c690
TerminateProcess	0x14041c698
GetExitCodeProcess	0x14041c6a0
UnregisterWaitEx	0x14041c6a8
LCMapStringW	0x14041c6b0
DebugBreak	0x14041c6b8
GetModuleHandleA	0x14041c6c0
LoadLibraryExA	0x14041c6c8
GetStartupInfoW	0x14041c6d0
GetModuleFileNameA	0x14041c6d8
GetVersionExA	0x14041c6e0
SetProcessAffinityMask	0x14041c6e8
GetComputerNameA	0x14041c6f0
FlsFree	0x14041c6f8
FlsSetValue	0x14041c700
FlsGetValue	0x14041c708
FlsAlloc	0x14041c710
GetCPInfo	0x14041c718
RtlLookupFunctionEntry	0x14041c720
GetFinalPathNameByHandleW	0x14041c728
RtlVirtualUnwind	0x14041c730
UnhandledExceptionFilter	0x14041c738
SetUnhandledExceptionFilter	0x14041c740
IsProcessorFeaturePresent	0x14041c748
IsDebuggerPresent	0x14041c750
InitializeSListHead	0x14041c758
RtlUnwindEx	0x14041c760
RtlPcToFileHeader	0x14041c768
RaiseException	0x14041c770
SetStdHandle	0x14041c778
GetCommandLineA	0x14041c780
GetCommandLineW	0x14041c788
CreateThread	0x14041c790
ExitThread	0x14041c798
FreeLibraryAndExitThread	0x14041c7a0
GetDriveTypeW	0x14041c7a8
SystemTimeToTzSpecificLocalTime	0x14041c7b0
ExitProcess	0x14041c7b8
GetFileAttributesExW	0x14041c7c0
SetFileAttributesW	0x14041c7c8
GetConsoleOutputCP	0x14041c7d0
CompareStringW	0x14041c7d8
GetLocaleInfoW	0x14041c7e0
IsValidLocale	0x14041c7e8
GetUserDefaultLCID	0x14041c7f0
EnumSystemLocalesW	0x14041c7f8
HeapReAlloc	0x14041c800
GetTimeZoneInformation	0x14041c808
HeapSize	0x14041c810
SetEndOfFile	0x14041c818
FindFirstFileExW	0x14041c820
IsValidCodePage	0x14041c828
GetOEMCP	0x14041c830
GetFileSizeEx	0x14041c838
GetShortPathNameW	0x14041c840
CompareStringEx	0x14041c848
LCMapStringEx	0x14041c850
InitializeCriticalSectionEx	0x14041c858
WaitForSingleObjectEx	0x14041c860
GetExitCodeThread	0x14041c868
SleepConditionVariableSRW	0x14041c870
EncodePointer	0x14041c878
DecodePointer	0x14041c880

Function	Address	Souspicious	Anti Debug
SHGetSpecialFolderPathA	0x14041c890

Function	Address	Souspicious	Anti Debug
CoInitializeEx	0x14041ca40
CoUninitialize	0x14041ca48
CoCreateInstance	0x14041ca50

Function	Address	Souspicious	Anti Debug
WSASetLastError	0x14041c908
send	0x14041c910
recv	0x14041c918
ntohs	0x14041c920
htons	0x14041c928
htonl	0x14041c930
inet_addr	0x14041c938
inet_ntoa	0x14041c940
gethostbyaddr	0x14041c948
WSAGetLastError	0x14041c950
WSAIoctl	0x14041c958
gethostbyname	0x14041c960
WSARecvFrom	0x14041c968
WSASocketW	0x14041c970
WSASend	0x14041c978
WSARecv	0x14041c980
gethostname	0x14041c988
WSADuplicateSocketW	0x14041c990
getpeername	0x14041c998
FreeAddrInfoW	0x14041c9a0
GetAddrInfoW	0x14041c9a8
shutdown	0x14041c9b0
socket	0x14041c9b8
setsockopt	0x14041c9c0
listen	0x14041c9c8
connect	0x14041c9d0
closesocket	0x14041c9d8
bind	0x14041c9e0
WSACleanup	0x14041c9e8
WSAStartup	0x14041c9f0
select	0x14041c9f8
getsockopt	0x14041ca00
getsockname	0x14041ca08
ioctlsocket	0x14041ca10
getservbyname	0x14041ca18
getservbyport	0x14041ca20

Function	Address	Souspicious	Anti Debug
GetLastInputInfo	0x14041c8a0
MessageBoxW	0x14041c8a8
GetProcessWindowStation	0x14041c8b0
TranslateMessage	0x14041c8b8
GetUserObjectInformationW	0x14041c8c0
ShowWindow	0x14041c8c8
DispatchMessageA	0x14041c8d0
GetSystemMetrics	0x14041c8d8
MapVirtualKeyW	0x14041c8e0
GetMessageA	0x14041c8e8

Function	Address	Souspicious	Anti Debug
GetUserProfileDirectoryW	0x14041c8f8