216.73.217.50

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:34 · Modified 20/12/2025 21:23

Essential information

Value / Name
7b4bf9db4e8e6f8216d65457fdae6ed7497b7602
Confidence
100/100
Revoked
Yes
Valid from
14/07/2022 10:54
Valid until
17/10/2023 10:54
Pattern type
yara
Published
20/12/2025 19:34
Modified
20/12/2025 21:23
Author / Source
AlienVault

Description

files - file ex.exe.bin

Pattern

rule file_ex_exe {   
      meta:   
         description = "files - file ex.exe.bin"   
         author = "TheDFIRReport"   
         reference = "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"   
         date = "2022/07/10"   
         hash1 = "428d06c889b17d5f95f9df952fc13b1cdd8ef520c51e2abff2f9192aa78a4b24"   
      strings:   
         $s1 = "d:\\Projects\\WinRAR\\rar\\build\\unrar32\\Release\\UnRAR.pdb" fullword ascii   
         $s2 = "rar.log" fullword wide   
         $s3 = "      <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii   
         $s4 = "  processorArchitecture=\"*\"" fullword ascii   
         $s5 = "%c%c%c%c%c%c%c" fullword wide /* reversed goodware string 'c%c%c%c%c%c%c%' */   
         $s6 = "  version=\"1.0.0.0\"" fullword ascii   
         $s7 = "%12ls: RAR %ls(v%d) -m%d -md=%d%s" fullword wide   
         $s8 = "  hp[password]  " fullword wide   
         $s9 = " %s - " fullword wide   
         $s10 = "yyyymmddhhmmss" fullword wide   
         $s11 = "--------  %2d %s %d, " fullword wide   
         $s12 = " Type Descriptor'" fullword ascii   
         $s13 = "\\$\\3|$4" fullword ascii /* hex encoded string '4' */   
         $s14 = "      processorArchitecture=\"*\"" fullword ascii   
         $s15 = " constructor or from DllMain." fullword ascii   
         $s16 = "----------- ---------  -------- -----  ----" fullword wide   
         $s17 = "----------- ---------  -------- ----- -------- -----  --------  ----" fullword wide   
         $s18 = "%-20s - " fullword wide   
         $s19 = "      publicKeyToken=\"6595b64144ccf1df\"" fullword ascii   
         $s20 = "      version=\"6.0.0.0\"" fullword ascii   
      condition:   
         uint16(0) == 0x5a4d and filesize < 900KB and   
         8 of them   
   }

Labels / Tags

Labels: coinminer microsoft sql server mssql xmrig

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.