Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Coinminer
This threat is a Trojan coinminer targeting the .NET framework, identified through behavioral analysis. It illicitly uses the victim's system resources (CPU/GPU) to mine cryptocurrency, leading to significant performance degradation. The detection indicates the malware likely uses AES decryption and reflection to obfuscate its payload and evade static analysis.
Relevant strings associated with this threat: - buffer (PEHSTR_EXT)
rule Trojan_MSIL_Coinminer_UF_2147809031_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/Coinminer.UF!MTB"
threat_id = "2147809031"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "Coinminer"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "11"
strings_accuracy = "High"
strings:
$x_1_1 = "GetType" ascii //weight: 1
$x_1_2 = "GetMethod" ascii //weight: 1
$x_1_3 = "AES_Decryptor" ascii //weight: 1
$x_1_4 = "TransformFinalBlock" ascii //weight: 1
$x_1_5 = "ToString" ascii //weight: 1
$x_1_6 = "FromBase64String" ascii //weight: 1
$x_1_7 = "GetBytes" ascii //weight: 1
$x_1_8 = "GetString" ascii //weight: 1
$x_1_9 = "CreateDecryptor" ascii //weight: 1
$x_1_10 = {00 62 75 66 66 65 72 00} //weight: 1, accuracy: High
$x_1_11 = {00 69 6e 70 75 74 00} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}afd4bc108d2feb94bb53048f6dbc2b46614629a3d944f14968c978cc49eb6036Isolate the affected machine from the network to prevent communication with mining pools. Use Windows Defender to perform a full scan and remove the detected file. Review system startup locations (e.g., Task Scheduler, Run keys) for any persistence mechanisms established by the malware and remove them.