Win32/CoinMiner (Dokinzakbar)

Forum for analysis and discussion about malware.
Post Reply
Posts: 331
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Sun Jan 01, 2017 1:18 pm

You do not have the required permissions to view the files attached to this post.
User avatar
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation

Wed Jan 09, 2019 9:38 am

ikolor wrote:
Sun Jan 01, 2017 1:18 pm
Please make selection ...2017 ... 483276621/
Trojan muldrop with coin miner as payload.

SFX archive, next actual malware dropper -> extracts files to %UserProfile%\Public. Main malware inside password protected zip file called This zip file unpacked by ConsoleApplication1.exe (also dropped by malware) with password "dokinzakbar" (hardcoded inside ConsoleApplication1.exe). After unpacking ConsoleApplication1.exe executes malicious script NVidiaDriverUpdate.vbs

TL;DR it is cryptocurrency miner configured as

Code: Select all

"NvidiaUpdater.exe -a cryptonight -o stratum+tcp:// -u -p 2101skymagicss -t 1", 0, true
where NvidiaUpdater.exe is a coin miner called "cpuminer-multi".

This email can be found in google and lead to russian Magnitogorsk.

Posts moved.
Ring0 - the source of inspiration
Post Reply