Jump to content

Recommended Posts

Posted

Eset always poping up Win64/CoinMiner.DN when PC startup, and while doing a work sometimes it will poping up again, already click "Clean" button no effect.. popup will show again in random times.

eset.jpg

 

I try investigate with Process Explorer, the PID 4192 registered as IasSrv services, and connected to [randomip].vultr.com:


dllFiel.jpg
process.jpg

 

sometime my PC will freeze 5 or more second before popup shown.

also my monitor randomly will be blank (black) no respond when clicking keyboard or move mouse, I need to restart PC.

need help !!

coinminer.dn.txt

Posted (edited)

What ver. of Windows you using?

On Win10 1803, iassvc.dll does not exist. However, iassvcs.dll does exist.

Submit your ver. of iassvc.dll to VirusTotal for a scan and post back if anything was detected by the scanners there.

Edited by itman
  • Administrators
Posted

Please gather logs with ELC and upload the generated archive here.

Posted (edited)

Will add I find zip references to iassvc.dll on the web. Looks like we're looking at a new coin miner delivery malware here.

Neat how Eset detected it in memory!

Edited by itman
Posted

@itman

Edition     : Windows 10 Enterprise
Version     : 1803
OS Build    : 17134.254

actual name is iassrv.dll not iassvc.dll

here is VirusTotal log https://www.virustotal.com/#/file/8ce24e36d0d69f638b5f93e73693211ab97af2da7c163b50a2bab02207708177/detection

2 engine detected as Trojan.

 

@Marcos

File attached

 

eis_logs.zip

Posted (edited)
4 hours ago, ichadhr said:

2 engine detected as Trojan.

Interesting that Endgame detected it as malicious. Submit the same .dll here: https://www.hybrid-analysis.com/ . This site will produce an extremely detailed sandbox analysis. Copy the link of the completed analysis and post it here. Note: it will take a while for the analysis to run.

Referring back to your screenshots, the only reference I could find to a lasSvc service was in regard to RADIUS; and it was only one reference I could find. Do you have RADIUS client software installed on the client PC?

I did find a very old Symantec reference to lasSvc as a Backdoor.Trojan. It dates to 2003. However, it does seem lately that a lot of old malware is being "recycled."

Edited by itman
Posted (edited)

Also of interest per Robtex lookup is the IP address involved, 207.148.73.49 looks legit:

Singapore, Central Singapore Community Development Council SG.

But where it is hosted looks suspicious:

The IP number is in Yellowknife, Canada. It is hosted by NET-207-148-64-0-1.

To find a coin miner imbedded in a .dll associated with a Win service is very unusual. Did you install any software recently? It is not easy to install a service on Win 10 1803 Enterprise.

Also is your device accessible via RDP?

Finally, Microsoft associates Win64/CoinMiner as a hacktool: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win64/CoinMiner&ThreatID=-2147242281 . Do you have a legit copy of Win 10 Enterprise? Is all software you recently installed legit?

Edited by itman
  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...