Threat Research

Obfuscated Batch Script’s Journey to Monero Mining – CYFIRMA

Cyfirma

CYFIRMA uncovers open indexed directories hosting highly obfuscated Windows batch scripts that ultimately deploy a Monero (XMR) miner through a five-stage unpacking process. The malware employs anti-analysis, privilege escalation, defense evasion, stealth and file-less execution, with updates every few days and victims spread across multiple countries. hashtags: #AnonmyCmd #SilentCryptoMiner #UnamSanctam #HashVault #Monero #CYFIRMA

Keypoints

  • The malicious batch scripts are stored in an open indexed directory at 89.23.97.199:1444/ and 89.23.97.199/, with variants named Anonmy (variant 1), Anonmy (variant 2), and project88.cmd.
  • Three variants unfold via multi-stage de-obfuscation, dropping a PowerShell payload, then multiple PE files, culminating in the final Monero miner (XMRrig.exe).
  • The campaign runs in the background with anti-analysis, privilege escalation, defense evasion, stealth/file-less execution, and multi-stage unpacking, and has very low reputation on major anti-malware tools.
  • Victims span several countries; around 570 KH/s is mined, estimated at about $500 USD per month, with updates every few days since February 29, 2024.
  • Final payloads include an AMSI-bypassing stage, a LoadPE.dll in memory, and a stage-4 dropper that injects XMRrig.exe into explorer.exe; a WinRing0.sys driver is used to access CPU MSR registers for privilege elevation.
  • The mining pool is pool.hashvault.pro; wallets linked to the actor include two threat-actor wallets and one linked to UnamSanctam on HackForums; SilentCryptoMiner appears as a variant lineage.
  • The research notes potential attribution to a family/actor but explicitly states no definitive actor attribution at this time.

MITRE Techniques

  • [T1059.001] Powershell – “the malicious batch script [Stage 1] is executed to spawn an obfuscated PowerShell script [Stage 2].”
  • [T1059.003] Windows Command Shell – “the malicious batch script [Stage 1] is executed to spawn an obfuscated PowerShell script [Stage 2].”
  • [T1068] Exploitation for privilege escalation – “privilege escalation” is used to impair defenses and gain higher privileges.
  • [T1574.002] DLL Side Loading – “‘LP’ (LoadPE.dll) is loaded into memory, and section ‘P’ stores a PE binary which will further drop more PE files for execution.”
  • [T1055.001] DLL Injection – “process injection into legitimate Windows process ‘explorer.exe’ to inject a cryptocurrency miner PE ‘XMRrig.exe’.”
  • [T1055.002] PE Injection – “XMRrig.exe is decrypted in memory and injected into explorer.exe after stage 4 dropper.exe exits.”
  • [T1140] De-obfuscate/Decode Files or Information – “these lines are first base64 decoded, and then passed as an argument to func1().”
  • [T1497] Virtualization/Sandbox Evasion – “defense evasion … anti-analysis / debugging methods.”
  • [T1562.001] Impair Defenses – Disable or Modify Tools – “cinit-stealth-targets= Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe” indicating capability to disable defense tools.
  • [T1622] Debugger Evasion – “Anti debugging/ analysis techniques, demonstrating the ability to check if a remote or local debugger is attached to the running process.”
  • [TA0011] Command and Control: Web Protocols – “pool.hashvault.pro:80” used for mining pool communication.
  • [T1496] Resource Hijacking – “Resource Hijacking” via CPU cycles to mine XMR.
  • [T1608] Stage Capabilities – “new iterations released every few days” showing staged/updatable capabilities.

Indicators of Compromise

  • [IP Address] Open indexing directory – 89.23.97.199
  • [Domain] Mining pool address – pool.hashvault.pro
  • [Wallet Address] XMR wallet – 43dA79px7SY67JTEJm36wAAGVgERQMvWSbpeYxEriWrsAgDdqnL6g4LXAFHcu1TfUe9zmRyuLBe1XL6Gc6gjNRqdVE9h9HR
  • [Wallet Address] XMR wallet – 44KVH1GsLoQKo3SopPutFeNBZn9mH1JwS6BPqAqDzbSWTSGsTtqH6WoMoVRv4bBr5RAKgp21jgPAiRnXWZWjgQuUDrKECFw
  • [Wallet Address] Linked to UnamSanctam/HackForums – 4Aw8Echp2Hrhc5ussZ5cX1bKS6AFJUqFMJH9373M819NCLMVs4DctwGgtTg1ixc8oqVhZNeKCSTS776xoihXmX8SNYx7vtv
  • [File Name] Anonmy.cmd – SHA1: ad822713a862cb63a907473fdadab453be8a52be; SHA256: b5a008e84b04f2d8c4dfc0451d1473e7514eecf5c2d5bf3e0c0881b3141bf7f8; MD5: a4fe3e69c2f52e38a34722d28e6423d4
  • [File Name] Stage 3 AMSI bypass.exe – SHA1: 79525044e5a0d21fb453990981796e9af337a157; SHA256: af6577428fbd2e28ef95a7a3b3cf89f833d7e2ac457b999e1905e0d0c1477132; MD5: 59756d324c2d605d4cee59d5c4671ff7
  • [File Name] Stage 3 AMSI bypass.exe – 2 – SHA1: f71cb2f03385f80e8e42830ead296d2e503c5971; SHA256: e656be193c3170d1838e13bdce48e708a2b15076d536a0e9bfacf3f366c62a51; MD5: ddaaa8d00a819594a54946bd0be99eb5
  • [File Name] Stage 3 AMSI bypass.exe – 3 – SHA1: ee0c1f07fe2630a1871a7154961ecf3ab426dc1f; SHA256: e45b0d801c435ae25fe9596c97f45aeb096f70b9fd3f8244c9bb7d85ed094c11; MD5: 952138ef10f6d3814ed5888a4baa63cc
  • [File Name] Stage 3 dropper.exe – 1 – SHA1: da6a98df294b4d7c54f2af93d178b733d90c626e; SHA256: 3fc0286c2fc31538344011001eaad44073b0440ad857b97b0a84c7dbb670f231; MD5: 53e94b9b26ea1c1692a718c31fba8c14
  • [File Name] Stage 3 dropper.exe – 2 – SHA1: 509b94234bf0c1e20e60770628a45e60aa6691ee; SHA256: 2db5b28fe6d694f6d064edd3713e701aa19725ae6de31c796d00dcb0c6e6ad1b; MD5: 84864dd9b923cd223aad9852c806b3cd
  • [File Name] Stage 3 dropper.exe – 3 – SHA1: 3fd88848783c0715b19bcb9928f397340176e3d9; SHA256: 84c1f4a43af3837294039bd3cb86c7c93f2bdfd39b19bad6e6cd7ba1c458dc7a; MD5: f2a03b36a0699b186f2e4b2e613b5f86
  • [File Name] Stage 4 LoadPE.dll – 1 – SHA1: 636b630682257397891b9b16d68346c689e47a9a; SHA256: 51df1afc471e8f4805293b251acfa72c41f9b1ca67459df419440a1c65156059; MD5: aed04cc22f8d4cc2bc6f0b07ee1d3c33
  • [File Name] Stage 4 LoadPE.dll – 2 – SHA1: 636b630682257397891b9b16d68346c689e47a9a; SHA256: 51df1afc471e8f4805293b251acfa72c41f9b1ca67459df419440a1c65156059; MD5: aed04cc22f8d4cc2bc6f0b07ee1d3c33
  • [File Name] Stage 4 LoadPE.dll – 3 – SHA1: 636b630682257397891b9b16d68346c689e47a9a; SHA256: 51df1afc471e8f4805293b251acfa72c41f9b1ca67459df419440a1c65156059; MD5: aed04cc22f8d4cc2bc6f0b07ee1d3c33
  • [File Name] Stage 4 dropper.exe – 1 – SHA1: 7e4f082320b8e9299d4fdb47d84e90282f75441e; SHA256: 37af3dd3964b98a4296a266ef4ca71febd61755c9e7a248bc05a5b5ce5be91dc; MD5: ed3dc99329202fa901203b8100643357
  • [File Name] Stage 4 dropper.exe – 2 – SHA1: 7e4f082320b8e9299d4fdb47d84e90282f75441e; SHA256: 37af3dd3964b98a4296a266ef4ca71febd61755c9e7a248bc05a5b5ce5be91dc; MD5: ed3dc99329202fa901203b8100643357
  • [File Name] Stage 4 dropper.exe – 3 – SHA1: 947bc0e75649c5dfe3822ba983fcb66f72f97325; SHA256: e3aafbb5792fe5ba59fd33eb696efa4f92937f99f231f0dbf68dcdeeeca0226f; MD5: 318686da42c473d1e1830ef038f80749
  • [File Name] Stage 5 WinRing0.sys – SHA1: d25340ae8e92a6d29f599fef426a2bc1b5217299; SHA256: 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5; MD5: 0c0195c48b6b8582fa6f6373032118da
  • [File Name] Stage 5 XMRrig.exe – SHA1: 1701478a9e499f0545188a84f1eb2d11c7fbd4e5; SHA256: 0b73a0a29425663deeecfcf7231ec57c827e2c00bee1cc854f100f544a520fcd; MD5: 801d370ed441d0dc9dc1dd4d26f0a710
  • [File Name] Stage 5 XMRrig.exe – 2 – SHA1: 89e2843362748e1206cc59946923e15c4450bc82; SHA256: b531b2e06b0d3bafabad968f28a255eeb61132dc3eafd76680d16e280790a5fe; MD5: 0282de7d55c591fea67ecb0629bfc78d
  • [File Name] Stage 5 XMRrig.exe – 3 – SHA1: e0d39d79e53a27c32a251b2f4b7476e24f95a80b; (SHA256/MD5 not listed for this entry)

Read more: https://www.cyfirma.com/research/obfuscated-batch-scripts-journey-to-monero-mining/