Indicator (IOC)
Essential information
- Value / Name
85894b2bfe350962faeed8a5eab34593f74eb1b3- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 14/07/2022 10:54
- Valid until
- 17/10/2023 10:54
- Pattern type
- yara
- Published
- 20/12/2025 19:34
- Modified
- 20/12/2025 21:23
- Author / Source
- AlienVault
Description
files - file smss.exe.bin
Pattern
rule smss_exe {
meta:
description = "files - file smss.exe.bin"
author = "TheDFIRReport"
reference = "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"
date = "2022/07/10"
hash1 = "d3c3f529a09203a839b41cd461cc561494b432d810041d71d41a66ee7d285d69"
strings:
$s1 = "mCFoCRYPT32.dll" fullword ascii
$s2 = "gPSAPI.DLL" fullword ascii
$s3 = "www.STAR.com" fullword wide
$s4 = "4;#pMVkWTSAPI32.dll" fullword ascii
$s5 = " <requestedExecutionLevel level=\"asInvoker\"/>" fullword ascii
$s6 = "dYDT.Gtm" fullword ascii
$s7 = "|PgGeT~^" fullword ascii
$s8 = "* IiJ)" fullword ascii
$s9 = "{DllB8qq" fullword ascii
$s10 = "tfaqbjk" fullword ascii
$s11 = "nrvgzgl" fullword ascii
$s12 = " <!--The ID below indicates application support for Windows 10 -->" fullword ascii
$s13 = "5n:\\Tk" fullword ascii
$s14 = " </compatibility>" fullword ascii
$s15 = "HHp.JOW" fullword ascii
$s16 = " <!--The ID below indicates application support for Windows 8 -->" fullword ascii
$s17 = " <!--The ID below indicates application support for Windows 7 -->" fullword ascii
$s18 = "Wr:\\D;" fullword ascii
$s19 = "px:\"M$" fullword ascii
$s20 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 23000KB and
8 of them
}
Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.