Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family CoinMiner
Trojan:Win32/CoinMiner.N!cl is a trojan that secretly uses the infected computer's resources to mine Monero cryptocurrency. It establishes persistence via the Run registry key and downloads additional components from hardcoded IP addresses, leading to significant system performance degradation and increased power consumption. Evidence also suggests it may attempt to locate and steal existing cryptocurrency wallets.
Relevant strings associated with this threat: - http://178.159.37.113/ (PEHSTR_EXT) - .exe (PEHSTR_EXT) - http://194.63.143.226/ (PEHSTR_EXT) - http://217.147.169.179/ (PEHSTR_EXT) - electrum_data\wallets (PEHSTR_EXT) - WindowsFormsApp3.Form1.resources (PEHSTR_EXT) - WindowsFormsApp3.exe (PEHSTR_EXT) - ZwUnmapViewOfSection (PEHSTR_EXT) - CloseHandle (PEHSTR_EXT) - nimqeFAH8 (PEHSTR_EXT) - DownloadString (PEHSTR_EXT) - FromBase64String (PEHSTR_EXT) - C3554254475.C1255198513.resources (PEHSTR_EXT) - WindowsBuiltInRole (PEHSTR_EXT) - Banned (PEHSTR_EXT) - kLjw4iIsCLsZtxc4lksN0j (PEHSTR_EXT) - WindowsFormsApp3 (PEHSTR_EXT) - Windows Write (PEHSTR_EXT) - GM.Properties.Resources (PEHSTR_EXT) - WinMedia.WinMedia_ (PEHSTR_EXT) - RogueMarket\Products\Rogue Miner V2\Review Backup\Er minator\obj\Release\OmegaMiner.pdb (PEHSTR_EXT) - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT) - -B --donate-level 1 (PEHSTR_EXT) - coin monero (PEHSTR_EXT) - del /f /s /q (PEHSTR_EXT) - MicroBitcoin (PEHSTR_EXT) - getmininginfo (PEHSTR_EXT) - yescryptr32 (PEHSTR_EXT) - BitZeny (PEHSTR_EXT) - Miner thread priority (PEHSTR_EXT) - nWVAcot9AoqNSFEQA5.6WjyXKh6KK0v95eJSi (PEHSTR_EXT) - !#HSTR:IntentBase64 (PEHSTR_EXT) - ToBase64String (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - bitsadmin (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - InvokeV (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - ENIGMA (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
6caee8beb73f764aa98384734cd2fe2234148e5e8f4a2cfc6b068327dab27a2b7497372d24211844aa57ae4d4f97fd8b324c5f3f5ce4c81e8c150ac3b4c9815b469e0027cb53e2ba2bfe66d4aac3ea456fe4e91efbd11b631db252a9a1b02a8eUse Windows Defender to perform a full system scan and remove all detected components. Manually inspect and remove suspicious startup entries from the `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` registry key. Block the identified malicious IP addresses (178.159.37.113, 194.63.143.226, 217.147.169.179) at the network firewall.