Indicator (IOC)
Essential information
- Value / Name
7b4bf9db4e8e6f8216d65457fdae6ed7497b7602- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 14/07/2022 10:54
- Valid until
- 17/10/2023 10:54
- Pattern type
- yara
- Published
- 20/12/2025 19:34
- Modified
- 20/12/2025 21:23
- Author / Source
- AlienVault
Description
files - file ex.exe.bin
Pattern
rule file_ex_exe {
meta:
description = "files - file ex.exe.bin"
author = "TheDFIRReport"
reference = "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"
date = "2022/07/10"
hash1 = "428d06c889b17d5f95f9df952fc13b1cdd8ef520c51e2abff2f9192aa78a4b24"
strings:
$s1 = "d:\\Projects\\WinRAR\\rar\\build\\unrar32\\Release\\UnRAR.pdb" fullword ascii
$s2 = "rar.log" fullword wide
$s3 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
$s4 = " processorArchitecture=\"*\"" fullword ascii
$s5 = "%c%c%c%c%c%c%c" fullword wide /* reversed goodware string 'c%c%c%c%c%c%c%' */
$s6 = " version=\"1.0.0.0\"" fullword ascii
$s7 = "%12ls: RAR %ls(v%d) -m%d -md=%d%s" fullword wide
$s8 = " hp[password] " fullword wide
$s9 = " %s - " fullword wide
$s10 = "yyyymmddhhmmss" fullword wide
$s11 = "-------- %2d %s %d, " fullword wide
$s12 = " Type Descriptor'" fullword ascii
$s13 = "\\$\\3|$4" fullword ascii /* hex encoded string '4' */
$s14 = " processorArchitecture=\"*\"" fullword ascii
$s15 = " constructor or from DllMain." fullword ascii
$s16 = "----------- --------- -------- ----- ----" fullword wide
$s17 = "----------- --------- -------- ----- -------- ----- -------- ----" fullword wide
$s18 = "%-20s - " fullword wide
$s19 = " publicKeyToken=\"6595b64144ccf1df\"" fullword ascii
$s20 = " version=\"6.0.0.0\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 900KB and
8 of them
}
Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.