FalseXmrigRAT

UPX-packed PE32 RAT disguised as xmrig crypto miner (.elf extension fake). NtUnmapViewOfSection process hollowing out. AVICAP32 webcam capture. GDI+ screenshot. FtpPutFileA FTP data exfiltration. URLDownloadToFileA second-stage download. ShellExecuteA CMD execution.

Threat Profile
Type RAT
Programming LanguageC/C++
C2 ProtocolFTP/HTTP
First Seen2024
Targets Kuresel
Purpose / Capabilities
  • Remote Access/Stealer/Webcam/Screenshot
No C2 servers have been identified for this family yet.

Research Reports (1)

High

FalseXmrigRAT f38504f5 -- NtUnmapViewOfSection Process Hollowing AVICAP32 Webcam GdipFree Screenshot FtpPutFileA FTP Exfil URLDownloadToFileA UPX Packed xmrig Kimligiyle Taklitci | Yuksek

FalseXmrigRAT f38504f5 UPX PE32 x86 355KB. NtUnmapViewOfSection process hollowing. AVICAP32 webcam. GdipFree screenshot. FtpPutFileA FTP exfil. URLDownloadToFile. xmrig madenci taklidi.

Read Report →