user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/DisguisedXMRigMiner
Trojan:Win64/DisguisedXMRigMiner - Windows Defender threat signature analysis

Trojan:Win64/DisguisedXMRigMiner - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/DisguisedXMRigMiner
Classification:
Type:Trojan
Platform:Win64
Family:DisguisedXMRigMiner
Detection Type:Concrete
Known malware family with identified signatures
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family DisguisedXMRigMiner

Summary:

Trojan:Win64/DisguisedXMRigMiner is a sophisticated cryptocurrency miner that covertly exploits system resources for unauthorized Monero mining. It employs various evasion and persistence techniques, including abusing legitimate Windows utilities like rundll32, mshta, PowerShell, and BITS, process hooking, and establishing scheduled tasks to maintain its malicious operations.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - mining.authorize call failed (PEHSTR)
 - mining.extranonce.subscribe (PEHSTR)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_Win64_DisguisedXMRigMiner_SG_2147908721_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win64/DisguisedXMRigMiner.SG!MTB"
        threat_id = "2147908721"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "DisguisedXMRigMiner"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR"
        threshold = "7"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "pool_wallet" ascii //weight: 1
        $x_1_2 = "nicehash" ascii //weight: 1
        $x_1_3 = "daemon-poll-interval" ascii //weight: 1
        $x_1_4 = "mining.authorize call failed" ascii //weight: 1
        $x_1_5 = "mining.extranonce.subscribe" ascii //weight: 1
        $x_1_6 = "va vyhrazena." wide //weight: 1
        $x_1_7 = "dxsetup.exe" wide //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: dlIhost.exe
a67109836839f25002d6a6e56666d6f94f7aafbd9a57c344b03b7ce55c69a32e
11/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the compromised host, perform a full system scan with updated antivirus/EDR, and meticulously remove the detected malware along with all associated persistence mechanisms (e.g., scheduled tasks, registry entries). Review system logs for signs of further compromise and ensure all systems are patched and secured.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 11/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$