FalseXmrigRAT
UPX-packed PE32 RAT disguised as xmrig crypto miner (.elf extension fake). NtUnmapViewOfSection process hollowing out. AVICAP32 webcam capture. GDI+ screenshot. FtpPutFileA FTP data exfiltration. URLDownloadToFileA second-stage download. ShellExecuteA CMD execution.
Threat Profile
Type
RAT
Programming LanguageC/C++
C2 ProtocolFTP/HTTP
First Seen2024
Targets
Kuresel
Purpose / Capabilities
- Remote Access/Stealer/Webcam/Screenshot
No C2 servers have been identified for this family yet.
Research Reports (1)
FalseXmrigRAT f38504f5 -- NtUnmapViewOfSection Process Hollowing AVICAP32 Webcam GdipFree Screenshot FtpPutFileA FTP Exfil URLDownloadToFileA UPX Packed xmrig Kimligiyle Taklitci | Yuksek
FalseXmrigRAT f38504f5 UPX PE32 x86 355KB. NtUnmapViewOfSection process hollowing. AVICAP32 webcam. GdipFree screenshot. FtpPutFileA FTP exfil. URLDownloadToFile. xmrig madenci taklidi.
Read Report →