Manuel Statik Analiz — XMRig CoinMiner ELF | Tehdit: KRITIK

Dosya Kimligi

SHA256e55ed4e871eb3ed2d086e8e30876ca9572b48ea54d413b02e62a9e9f0a8c06a
Dosya Adi_up.bin (Linux ELF)
Boyut5.338.704 byte (5.3MB)
String Sayisi22.265
PlatformLinux ELF (x86_64)

Acik Metin Mining Pool -- DOGRULANMIS

KRITIK IOC: Mining pool adresleri acik metin olarak bulundu.
extranonce.su    <-- XMR mining pool
mining.su        <-- XMR mining pool
glibc.me         <-- Linux ELF kütüphane (sahte pozitif degil, suspicious domain)

Ghostrider Algoritma

ghostrider/rtm   -- Ghostrider (Raptoreum) algoritma
ghostrider       -- Ghostrider Monero mining
pool_wallet      -- Cuzdan adresi config alani

IOC

SHA256e55ed4e871eb3ed2d086e8e30876ca9572b48ea54d413b02e62a9e9f0a8c06a
Mining Poolextranonce.su
Mining Poolmining.su
AlgoritmaGhostrider (XMR/RTM)

XMRig — Malware Profile

XMRig, acik kaynakli Monero (XMR) miner aracinin kotu amacli degistirilmis surumleridir. Linux ELF ve Windows PE olarak dagitilir. Ghostrider, RandomX ve diğer algoritmalari destekler. Mining pool adreslerini cleartext icerir.

Malware Type
Coinminer
Programming Language
C++
C2 Protocol
TCP
Target Systems
Windows/Linux

Capabilities & Behavior

CPU/GPU Madenciliği
Kripto Para Üretimi
Kaynak Kullanımı
Kalıcılık
Anti-Analiz
Yayılma Mekanizması

IOC List (3 indicators)

IOC — XMRig
# DOMAIN extranonce.su # DOMAIN mining.su # DOMAIN glibc.me
TypeValueNote
domain extranonce.su
domain mining.su
domain glibc.me

C2 Servers (2 recorded servers for this family)

Address Type Port Protocol Status Country
mining.su domain &mdash; TCP active &mdash;
extranonce.su domain &mdash; TCP inactive &mdash;

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
xmrigcoinminerlinux-elfextranonce-sumining-sughostridermonero