> Analysis · c4ac74268abf_

~/packetpursuit $ cat /intel/analyses/c4ac74268abf.../report.md

typeanalysisfamilycoinminerconfidencemediumcreated2026-05-26updated2026-05-26pemalware-familycryptominersigningdefense-evasionimpact
SHA-256: c4ac74268abff27a68f363c4d64cdbb4f743ce5b3dcb1551bf83f4d974ec2326

coinminer: c4ac7426 — Signed 7-Zip SFX dropper, VC++ redist masquerade, password-protected archive

Executive Summary

Signed PE32 dropper built with 7-Zip SFX Constructor v4.6, masquerading as cmake_16.7.0.exe with cloned Microsoft VC++ 2013 Redistributable version metadata. Drops a password-protected 7z archive to %Temp%\main, executes KillDuplicate.cmd then main.bat /S, and self-deletes. The actual mining payload is AES-encrypted at rest inside the 7z overlay and is not statically recoverable without the password.

What It Is

  • Filename: cmake_16.7.0.exe ^[triage.json:5]
  • Type: PE32 executable (GUI) Intel 80386, 4 sections, 5.6 MB ^[file.txt:1]
  • Compiler: MSVC, linker 8.0, compile stamp 2012-05-28 (stock 7z SFX module artifact) ^[pefile.txt:34] ^[rabin2-info.txt:11]
  • Signed: Authenticode signature directory at RVA 0x565470, size 0x3CD8 ^[pefile.txt:173] ^[binwalk.txt:10] ^[rabin2-info.txt:27]
  • Builder: 7z SFX Constructor v4.6.0.0 (usbtor.ru), watermark ahileeeeeess 17:30:37 22/05/2026 ^[exiftool.json:44] ^[strings.txt:242]
  • Family: coinminer (OpenCTI label); dropped by AcrStealer ^[triage.json:20] ^[triage.json:9]

How It Works

The binary is a self-extracting archive using the 7-Zip SFX module. The stub locates an embedded UTF-8 config block delimited by ,!@Install@!UTF-8! and ;!@InstallEnd@! in the .rsrc section ^[strings.txt:387-414]. The config parsed by fcn.00405bfc controls silent extraction and execution:

GUIMode="2"
InstallPath="%Temp%\main"
PreExtract="%%P:hidcon:cmd /c \"\"%%T\KillDuplicate.cmd\" \"%%T\" \"%%M\"\""
RunProgram="%%P:hidcon:\"main.bat\" /S"
Delete="%%T"

^[strings.txt:408-412]

GUIMode="2" suppresses all UI. The stub extracts the appended 7z archive to %TEMP%\main, spawns cmd /c KillDuplicate.cmd with hidden console (hidcon), then executes main.bat /S, and finally deletes the temp extraction path. The 7z archive occupies a 5.3 MB overlay at file offset 0x228E2 ^[binwalk.txt:9]. Attempting to list contents with py7zr fails with PasswordRequired ^[terminal output], confirming AES-256 encryption at rest. Without the password, the miner payload, wallet addresses, and pool configuration remain unobservable statically.

Decompiled Behavior

Entry point 0x41945f is standard MSVC CRT startup (__set_app_type, __getmainargs, GetStartupInfoA, then main) ^[r2:entry0]. main at 0x4074d5 immediately delegates to fcn.00405bfc, the SFX engine ^[r2:main]. That function:

  1. Calls GetVersionExW; on pre-Win2K it shows a MessageBox and exits ^[r2:fcn.00405bfc]
  2. Locates the ,!@Install@!UTF-8! config block and parses variables (7zSfxVarModulePlatform, 7zSfxVarCmdLine0, 7zSfxVarSystemLanguage) ^[r2:fcn.00405bfc]
  3. Reads the appended 7z archive, decrypts with user-supplied or embedded password, and extracts to the configured path
  4. Spawns child processes via CreateProcessW and ShellExecuteExW ^[pefile.txt:284-291]
  5. Monitors completion via WaitForMultipleObjects and GetExitCodeProcess ^[pefile.txt:422-459]
  6. Cleans up extraction directory via DeleteFileW and RemoveDirectoryW as dictated by Delete="%%T" ^[pefile.txt:468-473]

The stub also imports CreateJobObjectW and AssignProcessToJobObject, suggesting the spawned miner is placed in a Windows Job Object to prevent orphan processes on stub termination ^[pefile.txt:453-457].

C2 Infrastructure

No C2 infrastructure is visible in the dropper stub. Mining pool addresses, wallet identifiers, and any download URLs are concealed inside the password-protected 7z payload. Marked as C2 obfuscated/runtime-resolved — static analysis cannot pierce the encrypted archive.

Interesting Tidbits

  • Metadata clone: Version info claims Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664 with original filename vcredist_x64.exe ^[exiftool.json:38] ^[pefile.txt:244], yet the binary is 32-bit and compiled in 2012. The metadata was copied wholesale from a legitimate installer to evade heuristic and reputation-based detection.
  • Builder watermark: ahileeeeeess 17:30:37 22/05/2026 gives a build-time anchor. The handle ahileeeeeess may be a pseudonym or auto-generated by the SFX Constructor GUI ^[exiftool.json:45].
  • Typo in config: ;Mirosoft_2026 inside the SFX config comment suggests non-native English or sloppy copy-paste ^[strings.txt:413].
  • Certificate chain: Binwalk detects multiple DER certificates and PKCS signatures starting at 0x565478, but OpenSSL 3.x fails to parse the outer PKCS#7 structure. The signature block is present; its validity (valid, expired, or revoked) requires Windows verifier or different tooling ^[binwalk.txt:10-21].
  • Job object constraint: Import of AssignProcessToJobObject is unusual for a simple dropper and indicates the author wants the miner child to die with the parent process tree.

How To Mess With It (Homelab Replication)

Toolchain: 7-Zip SFX Constructor v4.6 (Windows) or manual config injection.

Steps:

  1. Build any 7z archive with a payload. Set a password if you want the same static-obfuscation effect.
  2. Open the SFX stub in a resource editor or hex editor.
  3. Inject the config between ,!@Install@!UTF-8! and ;!@InstallEnd@! markers in the .rsrc section.
  4. Set GUIMode="2", InstallPath="%Temp%\main", RunProgram="hidcon:your.bat", Delete="%%T".
  5. Append the 7z archive to the end of the PE.

What you'll learn: How SFX Constructor injects control blocks and why these markers are reliable parsing anchors for detection tools.

Verification: Run your reproducer in a sandbox; observe silent extraction, child batch execution, and temp-path deletion without GUI.

Deployable Signatures

YARA Rule

rule Coinminer_7zSFX_Dropper_c4ac7426 {
    meta:
        description = "7-Zip SFX dropper with password-protected archive and VC++ redist masquerade"
        author = "PacketPursuit SOC"
        date = "2026-05-26"
        sha256 = "c4ac74268abff27a68f363c4d64cdbb4f743ce5b3dcb1551bf83f4d974ec2326"
    strings:
        $sfx_marker = ",!@Install@!UTF-8!" ascii wide
        $sfx_end = ";!@InstallEnd@!" ascii wide
        $guimode = "GUIMode=\"2\"" ascii wide
        $preextract = "PreExtract=" ascii wide
        $killdup = "KillDuplicate.cmd" ascii wide
        $runprog = "RunProgram=" ascii wide
        $mainbat = "main.bat" ascii wide
        $delete = "Delete=\"%%T\"" ascii wide
        $builder = "ahileeeeeess" ascii wide
        $mirosoft = "Mirosoft_2026" ascii wide
        $vcredist = "Microsoft Visual C++ 2013 Redistributable" ascii wide
        $vc_orig = "vcredist_x64.exe" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        filesize > 5MB and
        $sfx_marker and $sfx_end and
        ( $guimode or $preextract or $runprog ) and
        ( $killdup or $mainbat or $delete ) and
        ( $vcredist or $vc_orig )
}

Behavioral Hunt Query

(process_name="cmake_16.7.0.exe" OR original_file_name="vcredist_x64.exe")
AND (command_line="*hidcon:cmd*" OR command_line="*KillDuplicate.cmd*" OR command_line="*main.bat*")

IOC List

Indicator Value Type
SHA-256 c4ac74268abff27a68f363c4d64cdbb4f743ce5b3dcb1551bf83f4d974ec2326 Hash
Filename cmake_16.7.0.exe String
Original filename (PE version info) vcredist_x64.exe String
Company name (false) Microsoft Corporation String
Builder watermark ahileeeeeess 17:30:37 22/05/2026 String
SFX config marker GUIMode="2", InstallPath="%Temp%\main", Delete="%%T" Config
Pre-extraction script KillDuplicate.cmd Filename
Run program main.bat /S Command
Temp extraction path %TEMP%\main\ Path

Behavioral Fingerprint

This binary presents itself as a 32-bit GUI PE with Microsoft VC++ Redistributable version metadata and an Authenticode signature block. On execution, it silently extracts a password-protected 7z archive to %TEMP%\main, launches cmd /c KillDuplicate.cmd with a hidden console, then executes main.bat /S, and deletes the temp directory. It never shows a GUI (GUIMode=2) and spawns multiple child processes within seconds of launch. The actual mining payload is encrypted at rest and only decrypted in memory at runtime.

Detection Signatures

  • YARA: PE_File_Generic (generic, low-confidence hit from triage) ^[yara.txt:1]
  • ssdeep: 98304:5n5VJ19Ci0FFkbVjsxry2fokUnhlbkflE5CMLp9F0B8DldAqcN1iMpQzD/k ^[ssdeep.txt:2]
  • TLSH: 37463386BBD2A5BDC5CA147159289BB607F8DF442B11C2D343107A216D343DADE7B2CE ^[tlsh.txt:1]
  • capa: Tool failed during triage (capa package could not be executed as module) ^[capa.txt:1]

References

  • MalwareBazaar artifact: 0788a90d-ba23-4724-8947-ccd15ea3be76
  • OpenCTI labels: coinminer, dropped-by-acrstealer, exe, malware-bazaar, signed ^[triage.json:7-12]
  • 7z SFX Constructor: http://usbtor.ru/viewtopic.php?t=798 ^[exiftool.json:44]

Provenance

File classification from file (file 5.6.2). PE structure, imports, version info from pefile (pefile 2023.2.7). Strings from GNU strings. SFX config extracted via custom Python 3 script. 7z archive listing attempted with py7zr 1.1.0 — password required. Radare2 static analysis at level 3 (912 functions identified). Ghidra import was queued but not completed at time of writing. Builder metadata from exiftool (ExifTool 12.76). Overlay detection from binwalk (Binwalk v2.3.4). Certificate DER blocks detected at offset 0x565478; parsing failed with OpenSSL 3.x due to nested ASN.1 errors.