{"id":2872,"date":"2024-09-25T20:20:53","date_gmt":"2024-09-25T20:20:53","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2872"},"modified":"2025-07-29T06:44:07","modified_gmt":"2025-07-29T06:44:07","slug":"blouiroet-malware-masquerading-as-a-miner","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/blouiroet-malware-masquerading-as-a-miner\/","title":{"rendered":"Blouiroet malware masquerading as a miner"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Overview <\/strong><\/p>\n\n\n\n

With cryptocurrency taking the world by storm, it\u2019s no surprise hackers have found a way to exploit the frenzy. Blouiroet, a trojan with the ability to establish remote access connections, keylog, collect system information, download\/upload files, and drop further malware on the infected system, is being sold on the dark web disguised as a crypto-miner. <\/p>\n\n\n\n

To be clear, a phishing URL (highlighted in the dark web advertisement below) is being sold to attackers who then craft an email purporting to offer access to cryptomining software. This is then distributed via a spam email campaign \u2013 in Blouiroet\u2019s case, it has been used to target victims in the U.S, France and China.  <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The following Operating Systems are vulnerable to Blouiroet:

\u2022    Windows 2000

\u2022    Windows 95

\u2022    Windows 98

\u2022    Windows Me

\u2022    Windows NT

\u2022    Windows Server 2003

\u2022    Windows XP

\u2022    Windows Vista

\u2022    Windows 7 (x86\/x64)

\u2022    Windows 8 (x86\/x64)

\u2022    Windows 10 (x86\/x64)<\/p>\n\n\n\n

File Details <\/strong><\/p>\n\n\n\n

File type<\/strong><\/td>Portable Executable (PE) file<\/td><\/tr>
Md5 hash<\/strong><\/td>905a5167b248647ce31d57d241aacd63<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static Analysis<\/strong><\/p>\n\n\n\n

Static analysis quickly uncovered the file\u2019s malicious behavior. Strings were discovered showing the malware searching for various files, checking path names of %TEMP% directory, setting file attributes where the malware was present, and executing command line. Once the fake cryptominer link is clicked, an installation procedure executes. The installation process is designed to fail, with the error message containing a link \u2018for more information\u2019. This link takes the victim directly to Blouiroet\u2019s Command and Control (C&C) server [H**p: \/\/nsis [.]Sf [.]Net\/NSIS_Error]. <\/p>\n\n\n\n

The below images illustrate the malicious string associated:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Below process describes the flow of malicious code which gathers victim system and file attributes and function calls. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Further analysis on the C&C uncovered it was created in Russia in September last year: <\/p>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



Dynamic Analysis<\/strong><\/p>\n\n\n\n

<\/p>\n\n\n\n

Upon executing the sample in a dedicated malware analysis environment, we saw a chain of processes being initiated as shown below, namely acdsee.exe, cmd.exe, wscript.exe, cmd.exe rundll.exe, cmd.exe, and ss.exe:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u201css.exe\u201d, which has been dropped under \u201cC:\\ProgramData\\Rundll\u201d, establishes persistent communication with \u201cTCP 192.168.220.136\/16 445 100 \/save\u201d: <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next, \u201ccmd.exe\u201d (which is running as a non-existent process) starts and communicates with \u201c192.168.220.136\u201d:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Ultimately, \u201ccmd.exe\u201d, \u201crundll.exe\u201d, \u201ccmd.exe\u201d, and \u201css.exe\u201d are left running with communications towards the IP addresses \u201c192.168.61.40\u201d and \u201c192.168.61.41\u201d:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After some time, an error message (as mentioned in the static analysis) appears, pointing to the C&C, \u201ch**p: \/\/nsis [.]Sf [.]Net\/NSIS_Error\u201d<\/strong>:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

A number of files were then dropped on to the system, some of which we\u2019ll explore in further detail below:<\/p>\n\n\n\n

\u201cAutoCloseExe.txt\u201d was found present under \u201cC:\\Windows\\HhSm\u201d. <\/p>\n\n\n\n

This file had all the details on which processes were executed in the victim’s machine:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u201cBlocproc.txt\u201d included details on all the software installed on the machine:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u201c1.bat\u201d was present which we found querying the system registry, performing condition for error checks, and then creating a Startup entry to maintain persistence:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Another .bat file, “autoran.bat”, was responsible for checking file attributes and executing a \u201cstart.vbs\u201d file:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Additionally, \u201cC:\\WINDOWS\\HhSm\\Client.exe\u201d \u2013 a registry-value created file \u2013  establishes a connection with Russian Federation BOT IP address \u201c92.53.96.179\u201d with the domain name: hs-fileserver.info. <\/p>\n\n\n\n

Command and Control<\/strong><\/p>\n\n\n\n

\u2022    H**p: \/\/nsis [.]Sf [.]Net\/NSIS_Error

\u2022    Mine[.]zarabotaibitok[.]ru

\u2022    IP Address: 92.53.96.179<\/p>\n\n\n\n

Indicators of Compromise <\/strong>

MD5 Hash values of the dropped files:

\u2022    6fa7482b165dc6689350d22c555de51f

\u2022    63af4ca31a0d3f4729a6968564b232ea

\u2022    293f75563f7fa64d1de6945aee4299f0

\u2022    31d696f93ec84e635c4560034340e171

\u2022    770d0caa24d964ea7c04ff5daf290f08

\u2022    25313a0ad4154972b5770260ad594ed0

\u2022    ee2d6e1d976a3a92fb1c2524278922ae

\u2022    a539d27f33ef16e52430d3d2e92e9d5c

\u2022    3c2fe2dbdf09cfa869344fdb53307cb2

\u2022    f82fa69bfe0522163eb0cf8365497da2

\u2022    1ca9e6eb86036daea4dfa3297f70d542

\u2022    a05c7011ab464e6c353a057973f5a06e

\u2022    c24315b0585b852110977dacafe6c8c1

\u2022    a4e439ad454a379db68ab5b2c44a82aa

\u2022    a4e439ad454a379db68ab5b2c44a82aa

\u2022    d9b5b26f0423230e99768092f17919a3

\u2022    3e5d06dc6e7890e1800cf24c9f599856

\u2022    4ff94c163565a38a27cf997ad07b3d69

\u2022    1f0669f13dc0545917e8397063f806db

\u2022    47106682e18b0c53881252061ffcaa2d

\u2022    24aa99837d14bee5da2e2339b07f9d4c

\u2022    89b7dac7d9ce5b75b08f5d037edd3869

\u2022    8c80dd97c37525927c1e549cb59bcbf3

\u2022    756b6353239874d64291e399584ac9e5

\u2022    a6c04fca267b7b6a75dc59d6f50bd968

\u2022    a6c04fca267b7b6a75dc59d6f50bd968

\u2022    ba629216db6cf7c0c720054b0c9a13f3

\u2022    649b368c52de83e52474a20ce4f83425

\u2022    4803a7863da607333378b773b6a17f4c

\u2022    43aac72a9602ef53c5769f04e1be7386

\u2022    f01f09fe90d0f810c44dce4e94785227

\u2022    5adcbe8bbba0f6e733550ce8a9762fa0

\u2022    9a5cec05e9c158cbc51cdc972693363d

\u2022    6fe4544d00b77e0295e779e82d8f0fe5

\u2022    00dd6b018c3c2d347df43f779715bca5

\u2022    09836461312a3781af6e1298c6b2c249

\u2022    30017e300c6d92e126bf92017c195c37

\u2022    2f0a52ce4f445c6e656ecebbcaceade5

\u2022    b777086fd83d0bc1dccdc7c126b207d0

\u2022    8969668746ae64ca002cc7289cd1c5da

\u2022    e53f9e6f1916103aab8703160ad130c0

\u2022    9b80804a00bb6fa7f298d15c0947b2af

\u2022    c5fe643c7b2fb4a5e8f23411c561bb77

\u2022    c097fd043d3cbabcada0878505c7afa5

\u2022    5e8ecdc3e70e2ecb0893cbda2c18906f

\u2022    15191883753d0b230c4e89158261d4ac

\u2022    0647dcd31c77d1ee6f8fac285104771a

\u2022    f0881d5a7f75389deba3eff3f4df09ac

\u2022    f61e81eaf4a9ac9cd52010da3954c2a9

\u2022    8b0a4ce79f5ecdb17ad168e35db0d0f9

\u2022    838ceb02081ac27de43da56bec20fc76

\u2022    01d5adbfee39c5807ee46f7990f5fda7

\u2022    46f7b320b13a4b618946042360215179

\u2022    3e89c56056e5525bf4d9e52b28fbbca7

\u2022    d1aae806243cc0bedb83a22919a3a660

\u2022    83076104ae977d850d1e015704e5730a

\u2022    1fa609bc0d252ca0915d6aed2df7ccc2

\u2022    6b7276e4aa7a1e50735d2f6923b40de4

\u2022    e4a7755973b32e44e4ec60beeb7809fe

\u2022    d8d6f3a3e75da9887c165781d5b31e31

\u2022    66e0ee9a617f88f1a173ea2f0c585368

\u2022    5b72ccfa122e403919a613785779af49

\u2022    9744f0000284c2807de0651c7e0d980a

\u2022    e4ad4df4e41240587b4fe8bbcb32db15<\/p>\n\n\n\n

Domains<\/strong><\/p>\n\n\n\n

\u2022    H**p: \/\/nsis [.]Sf [.]Net\/NSIS_Error

\u2022    Mine[.]zarabotaibitok[.]ru<\/p>\n\n\n\n

Registry Value Created<\/strong><\/p>\n\n\n\n

HKLM\\SYSTEM\\CurrentControlSet\\Services\\AdobeFlashPlayerHash\\ImagePath: “C:\\WINDOWS\\HhSm\\Client.exe”<\/p>\n\n\n\n

Mitigation and Countermeasures<\/strong>

While there are no specific countermeasures for Blouiroet, beyond using the IOCs listed above, below are the best practice steps one should take to minimise their exposure to such malware:

\u2022    Update antivirus to the latest signatures

\u2022    Exercise caution while clicking on email attachments 

\u2022    Use strong passwords for data protection

\u2022    Make sure that systems are patched\/updated with the latest softwar

 <\/p>\n\n\n\n

On 2018-07-11<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Overview  With cryptocurrency taking the world by storm, it’s no surprise hackers have found a way to exploit the frenzy. Blouiroet, a trojan with the ability to establish remote access connections, keylog, collect system information, download\/upload files, and drop further malware on the infected system, is being sold on the dark web disguised as a […]<\/p>\n","protected":false},"author":1,"featured_media":2902,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2872","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2872"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2872\/revisions"}],"predecessor-version":[{"id":4337,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2872\/revisions\/4337"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2902"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}