Old Miner, New Tricks

    Thursday, July 17, 2025 In: Threat Research Print

    Date: 07/17/2025

    Severity: High

    Summary

    We recently investigated a cluster of VPSs used for Monero mining, linked to updated samples from past H2miner campaigns. H2miner, active since late 2019, is a crypto-mining botnet, while Lcryx (aka Lcrypt0rx) is a VBScript-based ransomware first seen in November 2024. Lcryx shows signs of AI-generated code and unusual behavior, marking its first overlap with H2miner operations. This suggests possible collaboration, tool reuse, or cross-platform targeting to boost financial gains and obscure attribution.

    Indicators of Compromise (IOC) List 

    Domains\URLs : 

    4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC

    89UoMhtsrpaJTvmJBbvy1cTdg38pomPFnW5Z4sniL2izcLQyGBkEGd96TcBJtzQUi6KAL5Ehe4cFpEMNdGF7tFKpJ1DqE8X

    89Arz88KTafhoTPAseYf2bfcWSjNq1YLaVY7ZkFaU21FivDueX4d7X7UErnyjAWHsVB1mibdTGHzqUTsS5FCMog89GVcQCh

    IP Address : 

    78.153.140.66

    80.64.16.241

    89.208.104.175

    47.97.113.36

    176.65.137.203

    185.156.72.96

    80.64.18.161

    207.231.109.252

    104.21.32.1

    Hash : 

    ff1706b37fea16d75b739a5396d9ffba

    9e4f149dae1891f1d22a2cea4f68432e

    a729410de4dc397d1fb2ab8f7ae560d3

    2726145d4ef3b34d3c3a566177805c39

    1aee8a425ea53c571a16b8efde05ba01

    B6cd214bb814362694cc48299ebaf0e5

    0680df49e1866c86697028ea73d28d28

    d3884cc519c6855ae20d64264d5f6e93

    57f0fdec4d919db0bd4576dc84aec752

    44143827116c96f5dcace4f95dff8697

    1bf1efeadedf52c0ed50941b10a2f468

    a7bee104bb486ad0f10331233cc9a9f1

    0dc2c71ce9c6c34668e9636abf61b1ae

    01e5b2530d4cba34f91c8090d19c92db

    dbc9125192bd1994cbb764f577ba5dda

    b3039abf2ad5202f4a9363b418002351

    da753ebcfe793614129fc11890acedbc

    ccef46c7edf9131ccffc47bd69eb743b

    06a482a6096e8ff4499ae69a9c150e92

    f5f2b61b39105a2b1e6e1a5f4a3863ae

    9f764ec91535eaf03983b930d9f3bacd

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    domainname like "4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC" or url like "4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC" or siteurl like "4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC" or domainname like "89UoMhtsrpaJTvmJBbvy1cTdg38pomPFnW5Z4sniL2izcLQyGBkEGd96TcBJtzQUi6KAL5Ehe4cFpEMNdGF7tFKpJ1DqE8X" or url like "89UoMhtsrpaJTvmJBbvy1cTdg38pomPFnW5Z4sniL2izcLQyGBkEGd96TcBJtzQUi6KAL5Ehe4cFpEMNdGF7tFKpJ1DqE8X" or siteurl like "89UoMhtsrpaJTvmJBbvy1cTdg38pomPFnW5Z4sniL2izcLQyGBkEGd96TcBJtzQUi6KAL5Ehe4cFpEMNdGF7tFKpJ1DqE8X" or domainname like "89Arz88KTafhoTPAseYf2bfcWSjNq1YLaVY7ZkFaU21FivDueX4d7X7UErnyjAWHsVB1mibdTGHzqUTsS5FCMog89GVcQCh" or url like "89Arz88KTafhoTPAseYf2bfcWSjNq1YLaVY7ZkFaU21FivDueX4d7X7UErnyjAWHsVB1mibdTGHzqUTsS5FCMog89GVcQCh" or siteurl like "89Arz88KTafhoTPAseYf2bfcWSjNq1YLaVY7ZkFaU21FivDueX4d7X7UErnyjAWHsVB1mibdTGHzqUTsS5FCMog89GVcQCh"

    IP Address : 

    dstipaddress IN ("78.153.140.66","89.208.104.175","80.64.18.161","47.97.113.36","185.156.72.96","176.65.137.203","80.64.16.241","207.231.109.252","104.21.32.1") or srcipaddress IN ("78.153.140.66","89.208.104.175","80.64.18.161","47.97.113.36","185.156.72.96","176.65.137.203","80.64.16.241","207.231.109.252","104.21.32.1")

    Hash 1 : 

    sha256hash IN ("Bb0f370e11302ca2d7f01d64f0f45fbce4bac6fd5613d8d48df29a83d382d232","6960c76b624b2ed9fc21546af98e1fa2169cd350f37f6ca85684127e9e74d89c","a244bfcd82d4bc2de30fc1d58750875b638d8632adb11fe491de6289ff30d8e5","B2811b3074eff16ec74afbeb675c85a9ec1f0befdbef8d541ac45640cacc0900","9dae4e219880f0e4de5bcba649fd0741e409c8a56b4f5bef059cdf3903b78ac2","34d602d9674f26fa2a141c688f305da0eea2979969f42379265ee18589751493","58e1f833c42ca4e14c61475d4bb5232032f27f82a7afa858284ced486324d763","f89470a8ac72a1be400be28aaf8170a129b776bd9182fbd43548d40ac9ca3251","3a67df40721703c455c6364ff6fda6af4a6df95d0b7bff1a7cebd45cc3f5d1f0","787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c","c6fbd6896d162a12d9c900056781eb82f44649945808b7b009646b5397bcf6bf")

    Hash 2 :

    md5hash IN ("0680df49e1866c86697028ea73d28d28","ff1706b37fea16d75b739a5396d9ffba","B6cd214bb814362694cc48299ebaf0e5","d3884cc519c6855ae20d64264d5f6e93","f5f2b61b39105a2b1e6e1a5f4a3863ae","57f0fdec4d919db0bd4576dc84aec752","2726145d4ef3b34d3c3a566177805c39","0dc2c71ce9c6c34668e9636abf61b1ae","9f764ec91535eaf03983b930d9f3bacd","01e5b2530d4cba34f91c8090d19c92db","06a482a6096e8ff4499ae69a9c150e92","a729410de4dc397d1fb2ab8f7ae560d3","9e4f149dae1891f1d22a2cea4f68432e","ccef46c7edf9131ccffc47bd69eb743b","a7bee104bb486ad0f10331233cc9a9f1","dbc9125192bd1994cbb764f577ba5dda","1aee8a425ea53c571a16b8efde05ba01","44143827116c96f5dcace4f95dff8697","1bf1efeadedf52c0ed50941b10a2f468","b3039abf2ad5202f4a9363b418002351","da753ebcfe793614129fc11890acedbc")

    Reference:

    https://www.fortinet.com/blog/threat-research/old-miner-new-tricks


    Tags

    MalwareRansomwareMonerominingH2minerCryptominingLcryxLcrypt0rxFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.