Indicator (IOC)
Essential information
- Value / Name
838b6da59df959660b6ef3cbff1a4171752eb974- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 14/07/2022 10:54
- Valid until
- 17/10/2023 10:54
- Pattern type
- yara
- Published
- 20/12/2025 19:34
- Modified
- 20/12/2025 21:23
- Author / Source
- AlienVault
Description
file kit.bat
Pattern
rule miner_batch {
meta:
description = "file kit.bat"
author = "TheDFIRReport"
reference = "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"
date = "2022/07/10"
hash1 = "4905b7776810dc60e710af96a7e54420aaa15467ef5909b260d9a9bc46911186"
strings:
$a1 = "%~dps0" fullword ascii
$a2 = "set app" fullword ascii
$a3 = "cd /d \"%~dps0\"" fullword ascii
$a4 = "set usr=jood" fullword ascii
$s1 = "schtasks /run" fullword ascii
$s2 = "schtasks /delete" fullword ascii
$a5 = "if \"%1\"==\"-s\" (" fullword ascii
condition:
uint16(0) == 0xfeff and filesize < 1KB and
3 of ($a*) and 1 of ($s*)
}
Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.