ichadhr 0 Posted September 10, 2018 Posted September 10, 2018 Eset always poping up Win64/CoinMiner.DN when PC startup, and while doing a work sometimes it will poping up again, already click "Clean" button no effect.. popup will show again in random times. I try investigate with Process Explorer, the PID 4192 registered as IasSrv services, and connected to [randomip].vultr.com: sometime my PC will freeze 5 or more second before popup shown. also my monitor randomly will be blank (black) no respond when clicking keyboard or move mouse, I need to restart PC. need help !! coinminer.dn.txt
itman 1,801 Posted September 10, 2018 Posted September 10, 2018 (edited) What ver. of Windows you using? On Win10 1803, iassvc.dll does not exist. However, iassvcs.dll does exist. Submit your ver. of iassvc.dll to VirusTotal for a scan and post back if anything was detected by the scanners there. Edited September 10, 2018 by itman
Administrators Marcos 5,451 Posted September 10, 2018 Administrators Posted September 10, 2018 Please gather logs with ELC and upload the generated archive here.
itman 1,801 Posted September 10, 2018 Posted September 10, 2018 (edited) Will add I find zip references to iassvc.dll on the web. Looks like we're looking at a new coin miner delivery malware here. Neat how Eset detected it in memory! Edited September 10, 2018 by itman
ichadhr 0 Posted September 11, 2018 Author Posted September 11, 2018 @itman Edition : Windows 10 Enterprise Version : 1803 OS Build : 17134.254 actual name is iassrv.dll not iassvc.dll here is VirusTotal log https://www.virustotal.com/#/file/8ce24e36d0d69f638b5f93e73693211ab97af2da7c163b50a2bab02207708177/detection 2 engine detected as Trojan. @Marcos File attached eis_logs.zip
itman 1,801 Posted September 11, 2018 Posted September 11, 2018 (edited) 4 hours ago, ichadhr said: 2 engine detected as Trojan. Interesting that Endgame detected it as malicious. Submit the same .dll here: https://www.hybrid-analysis.com/ . This site will produce an extremely detailed sandbox analysis. Copy the link of the completed analysis and post it here. Note: it will take a while for the analysis to run. Referring back to your screenshots, the only reference I could find to a lasSvc service was in regard to RADIUS; and it was only one reference I could find. Do you have RADIUS client software installed on the client PC? I did find a very old Symantec reference to lasSvc as a Backdoor.Trojan. It dates to 2003. However, it does seem lately that a lot of old malware is being "recycled." Edited September 11, 2018 by itman
itman 1,801 Posted September 11, 2018 Posted September 11, 2018 (edited) Also of interest per Robtex lookup is the IP address involved, 207.148.73.49 looks legit: Singapore, Central Singapore Community Development Council SG. But where it is hosted looks suspicious: The IP number is in Yellowknife, Canada. It is hosted by NET-207-148-64-0-1. To find a coin miner imbedded in a .dll associated with a Win service is very unusual. Did you install any software recently? It is not easy to install a service on Win 10 1803 Enterprise. Also is your device accessible via RDP? Finally, Microsoft associates Win64/CoinMiner as a hacktool: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win64/CoinMiner&ThreatID=-2147242281 . Do you have a legit copy of Win 10 Enterprise? Is all software you recently installed legit? Edited September 11, 2018 by itman
Administrators Marcos 5,451 Posted September 11, 2018 Administrators Posted September 11, 2018 Please generate a Procmon boot log as per https://support.eset.com/kb6308/, section Gather boot log files. After you've generated the log, compress it, upload it to a safe location (e.g. Dropbox, OneDrive, etc.) and provide me with a download link.
ichadhr 0 Posted September 20, 2018 Author Posted September 20, 2018 @Marcos sorry I can't upload boot log file, because of poor internet connection.. the size is crazy big (2.06 GB) as I see from ESET log, iassrv.dll already detected as Win64/CoinMiner.NZ and popup gone. related link : https://forum.esetnod32.ru/forum6/topic14960/ Thanks all
Recommended Posts