216.73.217.80

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:34 · Modified 20/12/2025 21:23

Essential information

Value / Name
838b6da59df959660b6ef3cbff1a4171752eb974
Confidence
100/100
Revoked
Yes
Valid from
14/07/2022 10:54
Valid until
17/10/2023 10:54
Pattern type
yara
Published
20/12/2025 19:34
Modified
20/12/2025 21:23
Author / Source
AlienVault

Description

file kit.bat

Pattern

rule miner_batch {   
      meta:   
         description = "file kit.bat"   
         author = "TheDFIRReport"   
         reference = "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"   
         date = "2022/07/10"   
         hash1 = "4905b7776810dc60e710af96a7e54420aaa15467ef5909b260d9a9bc46911186"   
      strings:   
         $a1 = "%~dps0" fullword ascii   
         $a2 = "set app" fullword ascii   
         $a3 = "cd /d \"%~dps0\"" fullword ascii   
         $a4 = "set usr=jood" fullword ascii   
         $s1 = "schtasks /run" fullword ascii   
         $s2 = "schtasks /delete" fullword ascii   
         $a5 = "if \"%1\"==\"-s\" (" fullword ascii   
      condition:   
         uint16(0) == 0xfeff and filesize < 1KB and   
         3 of ($a*) and 1 of ($s*)   
   }

Labels / Tags

Labels: coinminer microsoft sql server mssql xmrig

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.