Jump to content
ichadhr

Win64/CoinMiner.DN

Recommended Posts

Eset always poping up Win64/CoinMiner.DN when PC startup, and while doing a work sometimes it will poping up again, already click "Clean" button no effect.. popup will show again in random times.

eset.jpg

 

I try investigate with Process Explorer, the PID 4192 registered as IasSrv services, and connected to [randomip].vultr.com:


dllFiel.jpg
process.jpg

 

sometime my PC will freeze 5 or more second before popup shown.

also my monitor randomly will be blank (black) no respond when clicking keyboard or move mouse, I need to restart PC.

need help !!

coinminer.dn.txt

Share this post


Link to post
Share on other sites

What ver. of Windows you using?

On Win10 1803, iassvc.dll does not exist. However, iassvcs.dll does exist.

Submit your ver. of iassvc.dll to VirusTotal for a scan and post back if anything was detected by the scanners there.

Edited by itman

Share this post


Link to post
Share on other sites

Please gather logs with ELC and upload the generated archive here.

Share this post


Link to post
Share on other sites

Will add I find zip references to iassvc.dll on the web. Looks like we're looking at a new coin miner delivery malware here.

Neat how Eset detected it in memory!

Edited by itman

Share this post


Link to post
Share on other sites

@itman

Edition     : Windows 10 Enterprise
Version     : 1803
OS Build    : 17134.254

actual name is iassrv.dll not iassvc.dll

here is VirusTotal log https://www.virustotal.com/#/file/8ce24e36d0d69f638b5f93e73693211ab97af2da7c163b50a2bab02207708177/detection

2 engine detected as Trojan.

 

@Marcos

File attached

 

eis_logs.zip

Share this post


Link to post
Share on other sites
4 hours ago, ichadhr said:

2 engine detected as Trojan.

Interesting that Endgame detected it as malicious. Submit the same .dll here: https://www.hybrid-analysis.com/ . This site will produce an extremely detailed sandbox analysis. Copy the link of the completed analysis and post it here. Note: it will take a while for the analysis to run.

Referring back to your screenshots, the only reference I could find to a lasSvc service was in regard to RADIUS; and it was only one reference I could find. Do you have RADIUS client software installed on the client PC?

I did find a very old Symantec reference to lasSvc as a Backdoor.Trojan. It dates to 2003. However, it does seem lately that a lot of old malware is being "recycled."

Edited by itman

Share this post


Link to post
Share on other sites

Also of interest per Robtex lookup is the IP address involved, 207.148.73.49 looks legit:

Singapore, Central Singapore Community Development Council SG.

But where it is hosted looks suspicious:

The IP number is in Yellowknife, Canada. It is hosted by NET-207-148-64-0-1.

To find a coin miner imbedded in a .dll associated with a Win service is very unusual. Did you install any software recently? It is not easy to install a service on Win 10 1803 Enterprise.

Also is your device accessible via RDP?

Finally, Microsoft associates Win64/CoinMiner as a hacktool: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win64/CoinMiner&ThreatID=-2147242281 . Do you have a legit copy of Win 10 Enterprise? Is all software you recently installed legit?

Edited by itman

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×