{"report_id":"6adc71e3-548d-474e-99c5-8b978b9b360c","version":6,"status":"done","tags":[],"date":"2024-01-15T07:46:34Z","url":{"schema":"http","addr":"xmrig.mine.bz/xmrigARM-android-arm64v8.zip","fqdn":"xmrig.mine.bz","domain":"mine.bz","tld":"bz"},"ip":{"addr":"185.176.43.61","port":0,"asn":44476,"as":"Zetta Hosting Solutions LLC.","country":"Bulgaria","country_code":"BG"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-26T03:59:49Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"default"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"xmrig.mine.bz","ip":{"addr":"185.176.43.61","port":0,"asn":44476,"as":"Zetta Hosting Solutions LLC.","country":"Bulgaria","country_code":"BG"},"domain_registered":"2007-08-30","domain_rank":0,"first_seen":"2024-01-15 08:42:33","last_seen":"2024-01-15 08:42:33","alert_count":0,"request_count":2,"received_data":826,"sent_data":824,"comment":"","tags":null,"fingerprints":null},{"fqdn":"my.powerfolder.com","ip":{"addr":"195.201.181.138","port":443,"asn":24940,"as":"Hetzner Online GmbH","country":"Germany","country_code":"DE"},"domain_registered":"2004-03-02","domain_rank":0,"first_seen":"2014-01-17 20:49:44","last_seen":"2024-01-04 04:25:58","alert_count":0,"request_count":1,"received_data":2045071,"sent_data":535,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"1f01c495d23a326ee81cd6cba7add4ed","sha1":"391c79a132e070638741a3b99e0d3b1446dfbfcd","sha256":"eb0dbd9e010d92c83c4be44ffe95a4fe6f90e732b283ba29f47e340daabb6140","sha512":"76a026dbb9fdf058392d57c199c4f6d03682dd7856d1b31359627451f38c7fc1035d140cca3e7c4ecb0a684a3bab68faca3b89bb06eb89cd3240ab990f34c4b3","magic":"Zip archive data, at least v2.0 to extract, compression method=deflate","size":2044455,"url":{"schema":"https","addr":"my.powerfolder.com/dl/fiTd6oCun9dPvotjRHgvAd9P/xmrigARM-1.9.5-android-arm64v8.zip","fqdn":"my.powerfolder.com","domain":"powerfolder.com","tld":"com"},"ip":{"addr":"195.201.181.138","port":443,"asn":24940,"as":"Hetzner Online GmbH","country":"Germany","country_code":"DE"},"archive":[{"path":"xmrigARM","filename":"xmrigARM","modified":"","Modified":"2022-11-15T15:15:41+08:00","magic":"ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV)","size":1827316,"md5":"8224743af157c3d463e945affe50e2b3","sha1":"92df0bb9af2ead1f1c5f742f48e2966679843e08","sha256":"487b88dd8b2fdb61d6d2493784b0a2c4326ef920d9a126c80f2e0409b4f8fef2","sha512":"c811e469843f6c2bf54946107168df85088fad9e7f6923eae37101c25add877071d027dca7411b1a967c8f207cce230bfd866157abb048cb9260626b54cf039b","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-01-15","alert":"Detects a suspicious ELF binary with UPX compression","trigger":"xmrigARM","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-12","description":"Detects a suspicious ELF binary with UPX compression","hash1":"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4","reference":"Internal Research","rule":"SUSP_ELF_LNX_UPX_Compressed_File","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-01-15","alert":"Linux.Trojan.Godropper","trigger":"xmrigARM","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-06","fingerprint":"5a7b0906ebc47130aefa868643e1e0a40508fe7a25bc55e5c41ff284ca2751e5","id":"bae099bd-c19a-4893-96e8-63132dabce39","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"704643f3fd11cda1d52260285bf2a03bccafe59cfba4466427646c1baf93881e","rule":"Linux_Trojan_Godropper_bae099bd","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Godropper"}}]}},{"path":"libc++_shared.so","filename":"libc++_shared.so","modified":"","Modified":"2022-06-15T16:56:46+08:00","magic":"ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV)","size":936368,"md5":"25e5618db19e9269871c57abe69aed22","sha1":"7a22e2347bed45bcbae8411d0d3092b5f20dc0b0","sha256":"619e5674ccfdd2f5b1baf0d955f0e541b3348f8d683eb88c1bbfad5f5282cc56","sha512":"d797921c01edb7abbe3d0a79687a429da9b8882700c18f71253df30411bf7b77a78e1977e105712194bc6cdca84fec9ab4ac79d2a04cd0d41eee3b803fee7188","alerts":{"urlquery":null,"analyzer":null}},{"path":"runme.sh","filename":"runme.sh","modified":"","Modified":"2022-11-15T14:36:45+08:00","magic":"ASCII text","size":404,"md5":"8674b0cd291f2d3ff9235f0ee1c29a5d","sha1":"6d8b7a82f2f91644d100df275180f96fedecf9c5","sha256":"271816ab2d4ae1508b418855d4c4a941a08c04433efee269e1dbe3b399e19337","sha512":"a2569576c2949e78eabc18d891fa25848e0617e1bcebb2a4d4b31185f69c0fbaea22b8c68f4c0f8956b077e7e3700183f7ad2c180ece6ef50cc9a57c18118c87","alerts":{"urlquery":null,"analyzer":null}},{"path":"README.txt","filename":"README.txt","modified":"","Modified":"2022-11-15T14:36:45+08:00","magic":"Unicode text, UTF-8 text","size":1026,"md5":"2562d6ab48bcf7fd6446990c2b39ff7f","sha1":"85f772e79e780cada49af74c7d7a9b76fe966eb9","sha256":"60c3590eaea5de06062d57a8e5482e162eb9c777cfa83873ac6a521f07c7ab76","sha512":"6ff8d53be242c81b466f11edcae4f0721f40a150fe9256b18ccbd8cfc6886fd9c2953f40639a6e1e231181885012d09135a7eaf9f54108fcad25762d7fd296ad","alerts":{"urlquery":null,"analyzer":null}},{"path":"xmrig","filename":"xmrig","modified":"","Modified":"2022-11-15T14:36:45+08:00","magic":"ASCII text","size":663,"md5":"0de5cf91b48108277c02bbe4a1ed8836","sha1":"b9065883c15152c183ae7e4b8f423c143048fd3a","sha256":"d78477f9daad83a29b9f1651755a4bd70164890a893cefd1be87965b418f38fb","sha512":"fbdd4ff77e66d07b406a7c564225df8e0c44dbf8a2d8f014ee5196e0366569ef6faf9d18d0d111c828b534f13b90b84907bb4ee99445a598dd085071b5901346","alerts":{"urlquery":null,"analyzer":null}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-01-15","alert":"Detects a suspicious ELF binary with UPX compression","trigger":"xmrigARM","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-12-12","description":"Detects a suspicious ELF binary with UPX compression","hash1":"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4","reference":"Internal Research","rule":"SUSP_ELF_LNX_UPX_Compressed_File","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-01-15","alert":"Linux.Trojan.Godropper","trigger":"xmrigARM","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-06","fingerprint":"5a7b0906ebc47130aefa868643e1e0a40508fe7a25bc55e5c41ff284ca2751e5","id":"bae099bd-c19a-4893-96e8-63132dabce39","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"704643f3fd11cda1d52260285bf2a03bccafe59cfba4466427646c1baf93881e","rule":"Linux_Trojan_Godropper_bae099bd","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Godropper"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"xmrig.mine.bz/xmrigARM-android-arm64v8.zip","fqdn":"xmrig.mine.bz","domain":"mine.bz","tld":"bz"},"ip":{"addr":"185.176.43.61","port":0,"asn":44476,"as":"Zetta Hosting Solutions LLC.","country":"Bulgaria","country_code":"BG"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-01-15T07:46:08.634Z","timestamp":1705304768634,"http_version":"","security_state":"broken","security_info":null,"request":{"raw":"GET /xmrigARM-android-arm64v8.zip HTTP/1.1\r\nHost: xmrig.mine.bz\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 301 Moved Permanently\r\nDate: Mon, 15 Jan 2024 07:46:08 GMT\r\nServer: Apache\r\nLocation: http://xmrig.mine.bz/xmrigARM-android-arm64v8.php\r\nContent-Length: 257\r\nKeep-Alive: timeout=3, max=170\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":257,"size_decoded":257,"mime_type":"","magic":"HTML document, ASCII text","md5":"ebf78b5aae99daf7a4c003e6a1c0989f","sha1":"ad38e02895823fd0fded8125e4d6f69ef2ae5ca9","sha256":"5ada7a74f0b2d61105d0bdacf99a2aa50e94acaf96939ee3d6b7767e4f77a9a5","sha512":"6d523351072f04d46aabe054d16701af8c01f4fbffb2330f44e3dd949b0a8648bdfda741a8b15707df68656179ec5a9a82e122e7e49f090f38e406c79225d795","ssdeep":"","tlshash":"03d095fc974324c170533f40bdd110d1a47d04b2628714d915e75dc5d05c1b748cf4d9","first_seen":"2024-01-15T08:46:45Z","last_seen":"2024-08-20T12:27:38.499126Z","times_seen":2,"resource_available":false,"data":null}},"time_used":114,"timings":{"blocked":0,"dns":0,"connect":48,"send":0,"wait":0,"receive":0,"ssl":63},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"xmrig.mine.bz/xmrigARM-android-arm64v8.php","fqdn":"xmrig.mine.bz","domain":"mine.bz","tld":"bz"},"ip":{"addr":"185.176.43.61","port":80,"asn":44476,"as":"Zetta Hosting Solutions LLC.","country":"Bulgaria","country_code":"BG"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-01-15T07:46:09.148Z","timestamp":1705304769148,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /xmrigARM-android-arm64v8.php HTTP/1.1\r\nHost: xmrig.mine.bz\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 301 Moved Permanently\r\nDate: Mon, 15 Jan 2024 07:46:09 GMT\r\nServer: Apache\r\nLocation: https://my.powerfolder.com/dl/fiTd6oCun9dPvotjRHgvAd9P/xmrigARM-1.9.5-android-arm64v8.zip\r\nContent-Length: 0\r\nKeep-Alive: timeout=3, max=169\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"301","status_text":"Moved Permanently","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"application/x-zip-compressed","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-04-05T01:47:03.978699Z","times_seen":13354468,"resource_available":true,"data":null}},"time_used":50,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":50,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"my.powerfolder.com/dl/fiTd6oCun9dPvotjRHgvAd9P/xmrigARM-1.9.5-android-arm64v8.zip","fqdn":"my.powerfolder.com","domain":"powerfolder.com","tld":"com"},"ip":{"addr":"195.201.181.138","port":443,"asn":24940,"as":"Hetzner Online GmbH","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-01-15T07:46:09.199Z","timestamp":1705304769199,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","key_group_name":"P384","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.2","cert":{"subject":{"commonName":"*.powerfolder.com","organization":""},"issuer":{"commonName":"Go Daddy Secure Certificate Authority - G2","organization":"GoDaddy.com, Inc."},"validity":{"start":"Thu, 13 Apr 2023 07:26:34 GMT","end":"Thu, 11 Apr 2024 19:39:46 GMT"},"fingerprint":{"sha1":"D3:F0:08:52:86:89:20:A7:AA:02:8B:18:5E:68:75:47:3A:94:01:57","sha256":"34:73:6F:55:0C:54:EE:51:C2:B9:7C:31:6E:5A:8D:57:42:84:85:A9:40:A0:F7:93:A4:95:74:47:62:08:15:D2"}}},"request":{"raw":"GET /dl/fiTd6oCun9dPvotjRHgvAd9P/xmrigARM-1.9.5-android-arm64v8.zip HTTP/1.1\r\nHost: my.powerfolder.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Mon, 15 Jan 2024 07:46:10 GMT\r\nContent-Type: application/x-zip-compressed\r\nContent-Length: 2044455\r\nConnection: keep-alive\r\nContent-Disposition: attachment;filename*=UTF-8''xmrigARM-1.9.5-android-arm64v8.zip\r\nPragma: no-cache\r\nExpires: Mon, 15 Jan 2024 07:51:10 GMT\r\nAccept-Ranges: bytes\r\nETag: zh_CN/xmrigARM-1.9.5-android-arm64v8.zip_2044455_1668758059731\r\nLast-Modified: Fri, 18 Nov 2022 07:54:19 GMT\r\nContent-Range: bytes 0-2044454/2044455\r\nCache-Control: no-cache, no-store, must-revalidate, must-revalidate\r\nStrict-Transport-Security: max-age=31536000; includeSubDomains\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":2044455,"size_decoded":2044455,"mime_type":"application/x-zip-compressed","magic":"Zip archive data, at least v2.0 to extract, compression method=deflate","md5":"1f01c495d23a326ee81cd6cba7add4ed","sha1":"391c79a132e070638741a3b99e0d3b1446dfbfcd","sha256":"eb0dbd9e010d92c83c4be44ffe95a4fe6f90e732b283ba29f47e340daabb6140","sha512":"76a026dbb9fdf058392d57c199c4f6d03682dd7856d1b31359627451f38c7fc1035d140cca3e7c4ecb0a684a3bab68faca3b89bb06eb89cd3240ab990f34c4b3","ssdeep":"49152:OVs0dE0VV/A9qJbITP/5+GFwlaKR6nzb+WnGgpyzsMVZ16PI:OV3EQVo9pjoGFwlm+WnrMIM31sI","tlshash":"8e9533f89cd695189bb9c1dafb7e8cd7528d41ce8cb786406bb75e9d9f801238a0c470","first_seen":"2024-01-15T08:46:31Z","last_seen":"2024-08-20T12:27:38.500706Z","times_seen":3,"resource_available":false,"data":null}},"time_used":2498,"timings":{"blocked":1085,"dns":1,"connect":35,"send":0,"wait":38,"receive":290,"ssl":1046},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}