Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family CoinMiner
Trojan:Win32/CoinMiner.CF!bit is a cryptocurrency miner that exploits system resources to mine Monero without user consent. It achieves persistence by adding itself to the Windows Run key and attempts to evade detection by disabling Windows Defender's real-time monitoring.
Relevant strings associated with this threat: - pool.supportxmr.com (PEHSTR_EXT) - pool.minexmr.com (PEHSTR_EXT) - Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
rule Trojan_Win32_CoinMiner_CF_2147724500_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/CoinMiner.CF!bit"
threat_id = "2147724500"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "CoinMiner"
severity = "Critical"
info = "bit: an internal category used to refer to some threats"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "3"
strings_accuracy = "High"
strings:
$x_1_1 = "pool.supportxmr.com" ascii //weight: 1
$x_1_2 = "pool.minexmr.com" ascii //weight: 1
$x_1_3 = "Set-MpPreference -DisableRealtimeMonitoring $true" ascii //weight: 1
$x_1_4 = "Microsoft\\Windows\\CurrentVersion\\Run" ascii //weight: 1
condition:
(filesize < 20MB) and
(3 of ($x*))
}31e43e5d36c7852f0953e9431d9ea27b98f52231a425d48d14bd1bc97bb47754Immediately isolate the infected system. Perform a full scan with updated antivirus software, ensuring all detected malicious files are quarantined or removed. Verify that Windows Defender's real-time protection is active and remove any unauthorized startup entries.