Win64/CoinMiner.DN

[ichadhr 0]

Eset always poping up Win64/CoinMiner.DN when PC startup, and while doing a work sometimes it will poping up again, already click "Clean" button no effect.. popup will show again in random times.

 

I try investigate with Process Explorer, the PID 4192 registered as IasSrv services, and connected to [randomip].vultr.com:

 

sometime my PC will freeze 5 or more second before popup shown.

also my monitor randomly will be blank (black) no respond when clicking keyboard or move mouse, I need to restart PC.

need help !!

coinminer.dn.txt

[itman 1,659]

What ver. of Windows you using?

On Win10 1803, iassvc.dll does not exist. However, iassvcs.dll does exist.

Submit your ver. of iassvc.dll to VirusTotal for a scan and post back if anything was detected by the scanners there.

Edited September 10, 2018 by itman

[Marcos 5,071]

Please gather logs with ELC and upload the generated archive here.

[itman 1,659]

Will add I find zip references to iassvc.dll on the web. Looks like we're looking at a new coin miner delivery malware here.

Neat how Eset detected it in memory!

Edited September 10, 2018 by itman

[ichadhr 0]

@itman

Edition     : Windows 10 Enterprise
Version     : 1803
OS Build    : 17134.254

actual name is iassrv.dll not iassvc.dll

here is VirusTotal log https://www.virustotal.com/#/file/8ce24e36d0d69f638b5f93e73693211ab97af2da7c163b50a2bab02207708177/detection

2 engine detected as Trojan.

 

@Marcos

File attached

 

eis_logs.zip

[itman 1,659]

4 hours ago, ichadhr said:

2 engine detected as Trojan.

Interesting that Endgame detected it as malicious. Submit the same .dll here: https://www.hybrid-analysis.com/ . This site will produce an extremely detailed sandbox analysis. Copy the link of the completed analysis and post it here. Note: it will take a while for the analysis to run.

Referring back to your screenshots, the only reference I could find to a lasSvc service was in regard to RADIUS; and it was only one reference I could find. Do you have RADIUS client software installed on the client PC?

I did find a very old Symantec reference to lasSvc as a Backdoor.Trojan. It dates to 2003. However, it does seem lately that a lot of old malware is being "recycled."

Edited September 11, 2018 by itman

[itman 1,659]

Also of interest per Robtex lookup is the IP address involved, 207.148.73.49 looks legit:

Singapore, Central Singapore Community Development Council SG.

But where it is hosted looks suspicious:

The IP number is in Yellowknife, Canada. It is hosted by NET-207-148-64-0-1.

To find a coin miner imbedded in a .dll associated with a Win service is very unusual. Did you install any software recently? It is not easy to install a service on Win 10 1803 Enterprise.

Also is your device accessible via RDP?

Finally, Microsoft associates Win64/CoinMiner as a hacktool: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win64/CoinMiner&ThreatID=-2147242281 . Do you have a legit copy of Win 10 Enterprise? Is all software you recently installed legit?

Edited September 11, 2018 by itman

[Marcos 5,071]

Please generate a Procmon boot log as per https://support.eset.com/kb6308/, section Gather boot log files.

After you've generated the log, compress it, upload it to a safe location (e.g. Dropbox, OneDrive, etc.) and provide me with a download link.

[ichadhr 0]

@Marcos sorry I can't upload boot log file, because of poor internet connection.. the size is crazy big (2.06 GB)

as I see from ESET log, iassrv.dll already detected as Win64/CoinMiner.NZ and popup gone.

related link : https://forum.esetnod32.ru/forum6/topic14960/

Thanks all