Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner
Tags
attack-pattern: Data Credentials - T1589.001 Exploits - T1587.004 Exploits - T1588.005 Ip Addresses - T1590.005 Local Groups - T1069.001 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Windows Remote Management - T1021.006 Tool - T1588.002 Scheduled Task - T1053 Windows Remote Management - T1028
Show in Graph
Common Information
Type Value
UUID a402be82-b05a-4f7e-95fd-6d81f0db9fc8
Fingerprint a0908d5b85b2a6e3
Analysis status DONE
Considered CTI value 1
Text language
Published April 24, 2018, midnight
Added to db Jan. 18, 2023, 11:19 p.m.
Last updated Nov. 17, 2024, 6:55 p.m.
Headline Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner
Title Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner
Detected Hints/Tags/Attributes 59/1/25
Source URLs
Redirection Url
Details Source https://www.fortinet.com/blog/threat-research/python-based-malware-uses-nsa-exploit-to-propagate-monero--xmr--.html
URL Provider
Details Provider Source level domain
Details fortinet.com www.fortinet.com
Attributes
Details Type #Events CTI Value
Details CVE 126 
cve-2017-0144
Details CVE 35 
cve-2017-0145
Details Domain 1 
controller.zip
Details Domain 1 
xmrigminer32.zip
Details Domain 1 
xmrigminer64.zip
Details Domain 1 
miner.py
Details File 1 
controller.zip
Details File 1 
controller.py
Details File 18 
conn.log
Details File 1 
agent.vbs
Details File 1 
xmrigminer32.zip
Details File 1 
xmrigminer64.zip
Details File 1 
shcm.exe
Details File 1 
rmsg.exe
Details File 1 
svcm.exe
Details File 1 
winsvcman.exe
Details File 1122 
svchost.exe
Details File 2 
help.bat
Details File 1 
schm.exe
Details File 1 
miner.py
Details File 41 
code.exe
Details IPv4 1 
212.83.190.122
Details Url 1 
http://212.83.190.122/server/controller.zip
Details Url 1 
http://212.83.190.122/server/agent.vbs
Details Url 1 
http://212.83.190.122/server/.