Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family CoinMiner
This is a confirmed, concrete detection of a Trojan:Win64/CoinMiner variant that illicitly leverages system resources for cryptocurrency mining, specifically Monero, on compromised Windows 64-bit systems. It employs known mining software like Xmrig, connects to various mining pools and C2 servers, and attempts to hide its operations and persist on the system.
Relevant strings associated with this threat:
- -o http://rr.btcmp.com:8332 -u (PEHSTR_EXT)
- s\Java (PEHSTR_EXT)
- http:// (PEHSTR_EXT)
- C:\Work\Xmrig\Release\Setup_v2.03.pdb (PEHSTR_EXT)
- mscomosc.exe (PEHSTR_EXT)
- tcp://pool.minexmr.com: (PEHSTR_EXT)
- cmd.exe /c taskkill.exe /f /im mscomsys.exe (PEHSTR_EXT)
- socks=1jbftp.no-ip.org (PEHSTR_EXT)
- http://mine.pool-x.eu (PEHSTR_EXT)
- socks=1jbftp.no-ip.orgd (PEHSTR_EXT)
- socks=mpxy.hopto.org (PEHSTR_EXT)
- mine.pool-x.eu (PEHSTR_EXT)
- pool.dlunch.net:9327 (PEHSTR_EXT)
- lite.coin-pool.com:8339 (PEHSTR_EXT)
- 7get shell("start /b /separate TibanneSocket.exe quick") (PEHSTR)
- SsW ($APPDATA&"\"&base64Decode("Qml0Y29pbg==")&"\"&base64Decode("d2FsbGV0LmRhdA==")) (PEHSTR)
- RsC ($APPDATA&"\"&base64Decode("Qml0Y29pbg==")&"\"&base64Decode("Yml0Y29pbi5jb25m") (PEHSTR)
- +put "POST /cgi-bin/sync.cgi HTTP/1.1"& CR & (PEHSTR)
- cmd /c (PEHSTR_EXT)
- http://g-s.cool/dir.php (PEHSTR_EXT)
- http://g-s.cool/ver (PEHSTR_EXT)
- -o stratum+tcp://mine.moneropool.com:3333 -t 0 -u (PEHSTR_EXT)
- E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb (PEHSTR_EXT)
- \NsCpuCNMiner64.exe (PEHSTR_EXT)
- Electrum\electrum.dat (PEHSTR_EXT)
- multibit.wallet (PEHSTR_EXT)
- Bitcoin\wallet.dat (PEHSTR_EXT)
- Wallet Stealer\BWS-Stub\Release\BWS-Stub.pdb (PEHSTR_EXT)
- g.disgogoweb.com/ (PEHSTR_EXT)
- taskkill /f /im msiexev.exe (PEHSTR_EXT)
- scripts\miner.lua (PEHSTR_EXT)
- \svchost\obj\Debug\svchost.pdb (PEHSTR_EXT)
- /c "timeout /T 4 /NOBREAK & move /Y "%s" "%s" & start "" "%s"" (PEHSTR_EXT)
- stratum+tcp://mine.moneropool.com:3333& (PEHSTR_EXT)
- stratum+tcp://monero.crypto-pool.fr:3333& (PEHSTR_EXT)
- stratum+tcp://xmr.prohash.net:7777& (PEHSTR_EXT)
- stratum+tcp://pool.minexmr.com:5555)> %TEMP%\ (PEHSTR_EXT)
- http://whatami.us.to/tc (PEHSTR_EXT)
- tracking.huijang.com/api.php (PEHSTR_EXT)
- nvsrvc32.exe (PEHSTR_EXT)
- realsched.exe (PEHSTR_EXT)
- jusched.exe (PEHSTR_EXT)
- mcshield.exe (PEHSTR_EXT)
- %s://%s%s%s:%hu%s%s%s (PEHSTR_EXT)
- svchost.exe install Windows "C:\Windows\csrss.exe" (PEHSTR_EXT)
- http://82.146.54.187/ (PEHSTR_EXT)
- 0.zip (PEHSTR_EXT)
- -l zec. (PEHSTR_EXT)
- http:// (PEHSTR_EXT)
- 0.onion/ (PEHSTR_EXT)
- Task Manager.exe (PEHSTR_EXT)
- google123.txt (PEHSTR_EXT)
- leebond986@gmail.com (PEHSTR)
- leebond986@gmail.com:x (PEHSTR)
- 150.8.121.99 (PEHSTR)
- *stratum+tcp://xmr.pool.minergate.com:45560 (PEHSTR)
- SFX script commands (PEHSTR_EXT)
- miner\ (PEHSTR_EXT)
- .vbs" (PEHSTR_EXT)
- reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- -o stratum+tcp://xmr.minercircle.com:80 -u (PEHSTR_EXT)
- I+s4/4 (SNID)
- /tr "rundll32.exe url.dll,OpenURLA (PEHSTR_EXT)
- schtasks /create /tn \Systasks\ServiceRun /tr "C:\ProgramData\ (PEHSTR_EXT)
- taskkill /f /im attrib.exe (PEHSTR_EXT)
- attrib +s +h %userprofile%\AppData\Roaming (PEHSTR_EXT)
- Taskmgr.exe (PEHSTR_EXT)
- taskmgr.exe (PEHSTR_EXT)
- ProcessHacker.exe (PEHSTR_EXT)
- iplogger.com (PEHSTR_EXT)
- xmr.pool.minergate.com (PEHSTR_EXT)
- \WindowsTask\ (PEHSTR_EXT)
- .exe /ri 1 /st 00:00 /du 9999:59 /sc daily /f (PEHSTR_EXT)
- D:\priv\work\lololo\malwmmm (PEHSTR_EXT)
- .pdb (PEHSTR_EXT)
- zec-eu1.nanopool.org:6633 (PEHSTR_EXT)
- powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit (PEHSTR_EXT)
- svchost.exe install Windows (PEHSTR)
- <-a cryptonight-lite -o stratum+tcp://aeon.pool.minergate.com (PEHSTR)
- pool.supportxmr.com (PEHSTR_EXT)
- pool.minexmr.com (PEHSTR_EXT)
- Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- Microsoft\Network\Connections\hostdl.exe (PEHSTR_EXT)
- miner.Start (PEHSTR_EXT)
- /Microsoft/Network/Connections/hostdl.exe (PEHSTR_EXT)
- defender.Kill() (PEHSTR_EXT)
- DownloadDLL (PEHSTR_EXT)
- \win_x86.vbs (PEHSTR_EXT)
- \RUN-X11-x86.bat (PEHSTR_EXT)
- Path=C:\Windows\Temp (PEHSTR_EXT)
- XMRig/%s libuv/%s%s (PEHSTR_EXT)
- stratum+tcp://xmr.pool.minergate.com: (PEHSTR_EXT)
- schtasks /create /tn (PEHSTR_EXT)
- C:\Windows\System32\attrib.exe (PEHSTR_EXT)
- schtasks /create /tn \Windows\ServiceRun /tr (PEHSTR_EXT)
- stratum+tcp:// (PEHSTR_EXT)
- attrib +s +h "C:\ (PEHSTR_EXT)
- @.exe" (PEHSTR_EXT)
- .exe -o pool.minexmr.com (PEHSTR_EXT)
- Supreme.exe (PEHSTR_EXT)
- CoreDll (PEHSTR_EXT)
- utkiubludki.bit (PEHSTR_EXT)
- \wksz.ini (PEHSTR_EXT)
- stratum+tcp://get.bi-chi.com:3333 -u (PEHSTR_EXT)
- set_UseShellExecute (PEHSTR_EXT)
- stratum+tcp://workpc.biz (PEHSTR_EXT)
- advstat777.com:3333 (PEHSTR_EXT)
- \WindowsTask&powershell -NoProfile -Command (New-Object System.Net.WebClient).DownloadFile( (PEHSTR_EXT)
- schtasks /create /tn (PEHSTR_EXT)
- \WindowsTask\upd (PEHSTR_EXT)
- http (PEHSTR_EXT)
- .down0116.info (PEHSTR_EXT)
- del /F /ARHS "%s" (PEHSTR_EXT)
- /C ping 127.0.0.1 -n 6 & taskkill -f /im conime.exe /im (PEHSTR_EXT)
- -o stratum+tcp://%s -u %s (PEHSTR_EXT)
- ://%s:8888/md5.txt (PEHSTR_EXT)
- ://%s:8888/xmrok.txt (PEHSTR_EXT)
- pubyun.com/dyndns/getip (PEHSTR_EXT)
- 17.3.7131.115 (PEHSTR_EXT)
- %s/%s (Windows NT %lu.%lu (PEHSTR_EXT)
- ) libuv/%s (PEHSTR_EXT)
- Software\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR_EXT)
- Z5^V. (SNID)
- rybaikolbasa.bit (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- C:\_work\miner\playerinstall\Release\ (PEHSTR_EXT)
- -o pool.supportxmr.com:5555 -u (PEHSTR_EXT)
- explorer.exe (PEHSTR_EXT)
- \MicrosoftCorporation\Windows\Helpers (PEHSTR_EXT)
- \MicrosoftCorporation\Windows\System32 (PEHSTR_EXT)
- \WindowsAppCertification (PEHSTR_EXT)
- \{4FCEED6C-B7D9-405B-A844-C3DBF418BF87} (PEHSTR_EXT)
- \{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} (PEHSTR_EXT)
- /method/blacklist (PEHSTR_EXT)
- /method/checkConnection (PEHSTR_EXT)
- /method/cores (PEHSTR_EXT)
- /method/delay (PEHSTR_EXT)
- /method/install (PEHSTR_EXT)
- /method/modules (PEHSTR_EXT)
- /method/setOnline (PEHSTR_EXT)
- /method/update (PEHSTR_EXT)
- {EXE_PATH} (PEHSTR_EXT)
- "url": "pool.minexmr.to:4444" (PEHSTR_EXT)
- v=1&tid=%s&cid=%s&t=event&ec=exec (PEHSTR_EXT)
- ://%s.%s/%d/%d/?o=%d&v=%s&ts=%llu&tl=%llu&i=%lu&ec=%d&uc=%d (PEHSTR_EXT)
- WindowsUpdater.exe -l luckpool.org (PEHSTR_EXT)
- $try "" --help' for more information. (PEHSTR)
- fee.xmrig.com (PEHSTR)
- .nicehash.com (PEHSTR_EXT)
- .minergate.com (PEHSTR_EXT)
- /vxxv (PEHSTR_EXT)
- CurrentVersion\Policies\Explorer\Run\ADSL Dial (PEHSTR_EXT)
- CPU.exe -a cryptonight -o stratum+tcp (PEHSTR_EXT)
- ftphosting.pw/ (PEHSTR_EXT)
- RANDOM=CreateObject("Scripting.FileSystemObject") (PEHSTR_EXT)
- RANDOM=CreateObject("WinHttp.WinHttpRequest.5.1") (PEHSTR_EXT)
- -o stratum+tcp://s.antminepool.com:6234 (PEHSTR_EXT)
- -o stratum+tcp://wk5.cybtc.info:6688 -u (PEHSTR_EXT)
- cmd /c icacls c:\ /setintegritylevel M (PEHSTR_EXT)
- del /f /a /q "c:\windows\system32\drivers (PEHSTR_EXT)
- copy c:\windows\system32\drivers (PEHSTR_EXT)
- \Fonts\1sass.exe (PEHSTR_EXT)
- \MSBuild\Services.exe (PEHSTR_EXT)
- \Microsoft\Windows\Start Menu\Programs\Startup\ (PEHSTR_EXT)
- http://pmxmrnull.dynu.net: (PEHSTR_EXT)
- /tasks/getTask (PEHSTR_EXT)
- REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v (PEHSTR_EXT)
- schtasks /create /sc minute /mo 1 /tn (PEHSTR_EXT)
- taskkill /f /im (PEHSTR_EXT)
- \Form1\Form1\obj\ (PEHSTR_EXT)
- DebugRelease\Form1.pdb (PEHSTR_EXT)
- net.exe stop (PEHSTR_EXT)
- http://zz.8282.space/nw/ss/ (PEHSTR_EXT)
- C:\Windows\SysWOW64 (PEHSTR_EXT)
- obj\Debug\WinCalendar.pdb (PEHSTR_EXT)
- sgvhosts -c sgminerzcash.conf --gpu-reorder (PEHSTR_EXT)
- explores.exe -a cryptonight -o stratum+tcp: (PEHSTR_EXT)
- AutoRunApp.vbs (PEHSTR_EXT)
- \XMRig Starter\obj\Release\updg (PEHSTR_EXT)
- windows\system\com4.{241d7c96-f8bf-4f85-b01f-e2b043341a4b} (PEHSTR_EXT)
- svchost.exe -k netsvcs (PEHSTR_EXT)
- @gmail.com (PEHSTR_EXT)
- EternalBlue\EmptyProject (PEHSTR_EXT)
- inheritance:e /deny "SYSTEM:(R,REA,RA,RD) (PEHSTR_EXT)
- https://2no.co (PEHSTR_EXT)
- Program Files\Windows Defender Advanced Threat Protection\MsSense.exe (PEHSTR_EXT)
- Program Files\Windows Defender\ConfigSecurityPolicy.exe (PEHSTR_EXT)
- SCHTASKS /Create /SC MINUTE /MO (PEHSTR_EXT)
- powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object System.Net.WebClient).DownloadFile (PEHSTR_EXT)
- $env:APPDATA\update\ (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- 4.program-iq.com/uploads/ (PEHSTR_EXT)
- .jpg (PEHSTR_EXT)
- g4rm0n.had.su (PEHSTR_EXT)
- config.txt (PEHSTR_EXT)
- nvidia.txt (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\nwqoixxldqceeavvmyaue (REGKEY)
- %cmd /c taskkill /im taskmgr.exe /f /T (PEHSTR)
- &cmd /c taskkill /im rundll32.exe /f /T (PEHSTR)
- &cmd /c taskkill /im autoruns.exe /f /T (PEHSTR)
- %cmd /c taskkill /im perfmon.exe /f /T (PEHSTR)
- %cmd /c taskkill /im procexp.exe /f /T (PEHSTR)
- +cmd /c taskkill /im ProcessHacker.exe /f /T (PEHSTR)
- F:\calculator\Hasher\hasher-ng\bin\Win32\Release\dssec.pdb (PEHSTR_EXT)
- http://185.219.223.119/stats/?arh= (PEHSTR_EXT)
- SOFTWARE\WOW6432Node\Shortcuter\ (PEHSTR_EXT)
- SOFTWARE\Shortcuter\ (PEHSTR_EXT)
- SchTasks /Create /SC ONLOGON /TN " (PEHSTR_EXT)
- Set fRANDOM=CreateObject("Scripting.FileSystemObject") (PEHSTR_EXT)
- Set pRANDOM=CreateObject("WinHttp.WinHttpRequest.5.1") (PEHSTR_EXT)
- .ftphosting.pw/user81249/4918/ (PEHSTR_EXT)
- delxmr.bat (PEHSTR_EXT)
- svchost.exe (PEHSTR_EXT)
- stratum+tcp://pool.minexmr.com:7777 -u (PEHSTR_EXT)
- minergate.com (PEHSTR_EXT)
- nicehash.com (PEHSTR_EXT)
- !stratum+tcp://pool.supportxmr.com (PEHSTR)
- \taskmgr.exe.lnk (PEHSTR)
- svchost.exe (PEHSTR)
- http://owwwc.com/mm/ (PEHSTR_EXT)
- 0.exe (PEHSTR_EXT)
- mine.c3pool.com (PEHSTR_EXT)
- xmr.f2pool.com (PEHSTR_EXT)
- XMRig.exe|XMR.exe| (PEHSTR_EXT)
- 49hnmvTh3gHFZVQjMXpFWfKuvF1SgDGWCQRMhStgEg6vhtJfQ8RdSAf3TYr3FoZCYyDyNainwwzRmPanT1ucBx1y5vaRXBM.r9n (PEHSTR_EXT)
- \Miner\obj\Release\Otmivatelnites.pdb (PEHSTR_EXT)
- \Microsofter\svchost.exe (PEHSTR_EXT)
- ;/github.com/Bendr0id/CmrcServiceCC/wiki/Coin-configurations (PEHSTR)
- -a yescrypt -o (PEHSTR_EXT)
- stratum+tcp://yescrypt.na.mine.zpool.ca:6233 (PEHSTR_EXT)
- 127.0.0.1&del (PEHSTR_EXT)
- cscript //b //nologo %tmp%/ (PEHSTR_EXT)
- .vbs (PEHSTR_EXT)
- cmd.exe /c del (PEHSTR_EXT)
- stratum+tcp://pool.minexmr.com:80 -u (PEHSTR_EXT)
- taskkill /im dllhot.exe /f (PEHSTR_EXT)
- dllhot.exe --auto --any --forever --keepalive (PEHSTR_EXT)
- api.foxovsky.ru (PEHSTR_EXT)
- /gate/connection.php (PEHSTR_EXT)
- System32\drivers\cspsvc.pdb (PEHSTR_EXT)
- http://gey.moy.su/ammyy.zip (PEHSTR_EXT)
- http://gey.moy.su/temp.zip (PEHSTR_EXT)
- \system\svchost.exe (PEHSTR_EXT)
- updata.reboot@gmail.com (PEHSTR_EXT)
- http://178.159.37.113/ (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- http://194.63.143.226/ (PEHSTR_EXT)
- http://217.147.169.179/ (PEHSTR_EXT)
- electrum_data\wallets (PEHSTR_EXT)
- /nologo %tmp%/delay.vbs (PEHSTR_EXT)
- taskkill /im wscript.exe /f (PEHSTR)
- \tao.vbs (PEHSTR)
- \ls.vbs (PEHSTR)
- %Wscript.CreateObject("Wscript.Shell") (PEHSTR)
- WshShell.Run (PEHSTR)
- chromea.exe (PEHSTR)
- chromes.exe (PEHSTR)
- /\CurrentVersion\Policies\Explorer\Run\ADSL Dial (PEHSTR)
- C:\start.cmd (PEHSTR)
- @taskmgr.exe (PEHSTR)
- Jhash self-test failed. This might be caused by bad compiler optimizations. (PEHSTR)
- /create /f /sc ONLOGON /RL HIGHEST /tn (PEHSTR_EXT)
- \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT)
- schtasks.exe (PEHSTR_EXT)
- SELECT CommandLine FROM Win32_Process WHERE ProcessId = (PEHSTR_EXT)
- log.boreye.com (PEHSTR)
- ESoftware\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location (PEHSTR)
- 4SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost (PEHSTR)
- $SYSTEM\CurrentControlSet\Services\%s (PEHSTR)
- \Desktop\Miner\FULLMINER\WindowsHub (PEHSTR_EXT)
- WindowsSecurityService.pdb (PEHSTR_EXT)
- Select CommandLine from Win32_Process where Name='{0}' (PEHSTR_EXT)
- \root\cimv2 (PEHSTR_EXT)
- +2ZJqaN7cCKZJayunaqoY0t4JXe4SCvoyWXklM2of/5gaPK+G4R6xU9bp55ItU9+ (PEHSTR_EXT)
- /C ping 127.0.0.1 -n 2 && taskmgr && (PEHSTR_EXT)
- cfg.txt (PEHSTR_EXT)
- \AppData\Roaming\Sysfiles\ (PEHSTR_EXT)
- win32_logicaldisk.deviceid= (PEHSTR_EXT)
- schtasks /create /tn \ (PEHSTR_EXT)
- /st 00:00 /du 9999:59 /sc once /ri 1 /f (PEHSTR_EXT)
- choice /C Y /N /D Y /T (PEHSTR_EXT)
- byk\:2L (PEHSTR_EXT)
- c:\windo (PEHSTR_EXT)
- m32\cm (PEHSTR_EXT)
- d.exe (PEHSTR_EXT)
- .boot (PEHSTR_EXT)
- /showcode2 (PEHSTR_EXT)
- /logstatus (PEHSTR_EXT)
- /bugcheck2 (PEHSTR_EXT)
- /skipactivexreg (PEHSTR_EXT)
- Software\WLkt (PEHSTR_EXT)
- /bugcheckfull (PEHSTR_EXT)
- /deactivate (PEHSTR_EXT)
- \POWR (PEHSTR_EXT)
- newMinerProxy/proxy (PEHSTR_EXT)
- proxy.process (PEHSTR_EXT)
- xmrig-cuda.dll (PEHSTR_EXT)
- stc.bat (PEHSTR_EXT)
- stratum+ssl:// (PEHSTR_EXT)
- mining.submit (PEHSTR_EXT)
- --url pool.hashvault.pro:80 (PEHSTR_EXT)
- Software\Classes\mscfile\Shell\Open\command (PEHSTR_EXT)
- miner.exe (PEHSTR_EXT)
- schtasks.exe /create /f /sc MINUTE (PEHSTR_EXT)
- --cinit-stealth-targets=Taskmgr.exe, (PEHSTR_EXT)
- ,procexp.exe,procexp64.exe (PEHSTR_EXT)
- --cinit-api=http (PEHSTR_EXT)
- WindowsFormsApp3.Form1.resources (PEHSTR_EXT)
- WindowsFormsApp3.exe (PEHSTR_EXT)
- DESCryptoServiceProvider (PEHSTR_EXT)
- C3554254475.C1255198513.resources (PEHSTR_EXT)
- requestedExecutionLevel level="requireAdministrator" (PEHSTR_EXT)
- Windows\WinS\xcopy.exe (PEHSTR_EXT)
- -o xmr.pool.minergate.com:45701 (PEHSTR_EXT)
- %18\SamuraiVandalism.exe (PEHSTR_EXT)
- SYSTEM\ControlSet001\services\WMS\Parameters\AppExit (PEHSTR_EXT)
- DllImportAttribute (PEHSTR_EXT)
- System.Security.Cryptography (PEHSTR_EXT)
- TripleDESCryptoServiceProvider (PEHSTR_EXT)
- tools/regwrite.raum_encrypted (PEHSTR_EXT)
- Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.5 (like Gecko) (PEHSTR_EXT)
- a0694063.xsph.ru/GPU6.zip (PEHSTR_EXT)
- a0694063.xsph.ru/UpSys.exe (PEHSTR_EXT)
- C:\ProgramData\Data\GPU.zip (PEHSTR_EXT)
- C:\ProgramData\UpSys.exe (PEHSTR_EXT)
- method/wall.get.xml (PEHSTR_EXT)
- GM.Properties.Resources (PEHSTR_EXT)
- Ui,C\ (SNID)
- mining.subscribe (PEHSTR_EXT)
- cpuminer/1.0.4 (PEHSTR_EXT)
- ShellExecuteExW (PEHSTR_EXT)
- start abc.vbs (PEHSTR_EXT)
- start ethereum-classic-f2pool.bat (PEHSTR_EXT)
- WinMedia.WinMedia_ (PEHSTR_EXT)
- E:\CryptoNight\bitmonero-master\src\miner\x64\CPU-Release\Crypto.pdb (PEHSTR_EXT)
- C:\AppCache\x86\svchost.exe (PEHSTR_EXT)
- -a m7 -o stratum+tcp://xcnpool.1gh.com:7333 -u CJJkVzjx8GNtX4z395bDY4GFWL6Ehdf8kJ.SERVER%RANDOM% -p x (PEHSTR_EXT)
- poolstate.bin (PEHSTR)
- bfgminer.exe (PEHSTR_EXT)
- cryptonote_format_utils.cpp (PEHSTR_EXT)
- miner_conf.json (PEHSTR_EXT)
- cryptonote_protocol_handler.inl (PEHSTR_EXT)
- miner.cpp (PEHSTR_EXT)
- qt/crowdcoin.cpp (PEHSTR_EXT)
- crowdcoind.pid (PEHSTR_EXT)
- "method": "mining.subscribe" (PEHSTR_EXT)
- "method": "mining.authorize" (PEHSTR_EXT)
- "agent": "cpuminer-multi/0.1" (PEHSTR_EXT)
- mining.set_difficulty (PEHSTR_EXT)
- donate.v2.xmrig.com (PEHSTR)
- stratum+tcp:// (PEHSTR)
- F{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}} (PEHSTR)
- o-pBh/ (SNID)
- iUe#S\C (SNID)
- {.,Dx (SNID)
- Ni2D/ (SNID)
- ).9${wQ (SNID)
- a]g/m (SNID)
- a\Vxi$ (SNID)
- .JeuO (SNID)
- b\~av (SNID)
- fx.FI (SNID)
- %/.{y (SNID)
- 3v}M\B (SNID)
- \XBJn (SNID)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)rule Trojan_Win64_CoinMiner_C_2147720589_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/CoinMiner.C"
threat_id = "2147720589"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "CoinMiner"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR"
threshold = "4"
strings_accuracy = "High"
strings:
$x_1_1 = {6c 65 65 62 6f 6e 64 39 38 36 40 67 6d 61 69 6c 2e 63 6f 6d 00} //weight: 1, accuracy: High
$x_1_2 = "leebond986@gmail.com:x" ascii //weight: 1
$x_1_3 = "150.8.121.99" ascii //weight: 1
$x_1_4 = "stratum+tcp://xmr.pool.minergate.com:45560" ascii //weight: 1
condition:
(filesize < 20MB) and
(all of ($x*))
}1dc8f8908997ab9e3984da6e8386ffc290f69107f9abf34c327a268cffd5b72f00bba2efa9e9bb020828cde686e51ea3a39de47dabf65f197b18e957257f69c0740899acaef41bb636a672d5ed50ec80028108f6c0f6ab2bd163a318ce33e3bc86b90a50d03731b8d25b33382a61628274944d71dbfbc8414c9d9938b7ee43f6Immediately isolate the infected host, terminate malicious processes (e.g., mscomosc.exe), and remove the malware executable and associated persistence mechanisms (e.g., startup entries, scheduled tasks). Conduct a full system scan with up-to-date security software, monitor for unauthorized network connections to mining pools, and consider a system rebuild or restoration from a trusted backup.