Jump to content

CoinMiner detected


Recommended Posts

Hi ESET,

I am getting this message every 15 to 20 seconds and don't know how to fix it.

a threat (MSIL/coinminer.BLB) was found in a file that dotnet tried to access

 

Please help

 

 

Link to comment
Share on other sites

  • Most Valued Members
36 minutes ago, Headshot557 said:

Hi ESET,

I am getting this message every 15 to 20 seconds and don't know how to fix it.

a threat (MSIL/coinminer.BLB) was found in a file that dotnet tried to access

 

Please help

 

 

Have you installed/downloaded anything lately as it seems you have a coinminer. Does this occur only when the browser is open? If so could be an addon

Link to comment
Share on other sites

  • Marcos changed the title to CoinMiner detected

I found a recent thread in this forum directly related to this coinminer: https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/page/2/ .

Run an Eset scan preferably as Administrator. Eset should remove the coinminer and stop the alerts being displayed.

-EDIT- Previous detections of this coin-miner showed that this folder, C:\Users\xxxxxx\AppData\Roaming\Microsoft\HashCalc\MD5, contains a .exe and .dll used by the coin-miner.

Edited by itman
Link to comment
Share on other sites

A few sources for a HashCalc download are shown below. My money is on the Google Play app as the culprit:

hxxps://www.slavasoft.com/hashcalc/

hxxps://play.google.com/store/apps/details?id=com.goyalsoftech.hashcalc&hl=en_US&gl=US

Link to comment
Share on other sites

check this file. there is no detection on it yet

 

Quote

Полное имя                  C:\USERS\***\APPDATA\ROAMING\STEAMAPI\CHARTTABLE\GAMESLIST\STEAMAPILIB.DLL
Имя файла                   STEAMAPILIB.DLL
Тек. статус                 АКТИВНЫЙ ?ВИРУС? ВИРУС ВНЕДРЯЕМЫЙ ПОДОЗРИТЕЛЬНЫЙ DLL в автозапуске [Запускался неявно или вручную]
                            
Обнаруженные сигнатуры      
Сигнатура                   MSIL/Agent.TPR [ESET-NOD32] (delall) [глубина совпадения 64(64), необх. минимум 64, максимум 64] 2020-03-07
                            
www.virustotal.com          2021-08-05 22:58 [2021-08-05]
-                           Файл был чист на момент проверки.
                            
Удовлетворяет критериям     
TR.BITCOIN-MINER            (ССЫЛКА ~ \TASKS\STEAM)(1) [auto (0)]
                            
Сохраненная информация      на момент создания образа
Статус                      АКТИВНЫЙ ВНЕДРЯЕМЫЙ DLL в автозапуске [Запускался неявно или вручную]
File_Id                     610AB432E000
Linker                      11.0
Размер                      25600 байт
Создан                      05.08.2021 в 11:58:40
Изменен                     05.08.2021 в 11:58:40
                            
TimeStamp                   04.08.2021 в 15:37:22
EntryPoint                  +
OS Version                  0.0
Subsystem                   Windows character-mode user interface (CUI) subsystem
IMAGE_FILE_DLL              +
IMAGE_FILE_EXECUTABLE_IMAGE +
Тип файла                   64-х битный ИСПОЛНЯЕМЫЙ
Цифр. подпись               Отсутствует либо ее не удалось проверить
                            
Оригинальное имя            GoogleImageShell.dll
Версия файла                1.2.0.0
Описание                    Run32Shell
Производитель               
Комментарий                 
                            
Доп. информация             на момент обновления списка
Файл                        C:\WINDOWS\SYSTEM32\REGSVR32.EXE
CmdLine                     regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll
CmdLine                     /S C:\USERS\***\APPDATA\ROAMING\STEAMAPI\CHARTTABLE\GAMESLIST\STEAMAPILIB.DLL
SHA1                        CEF5AA279F639D500F83F51AE3BB846A2908019D
MD5                         97000AA67D7D8D6818383B683EB0C7CC
                            
Процессы                    на момент обновления списка
Процесс                     C:\WINDOWS\SYSTEM32\REGSVR32.EXE [2424]
                            
Ссылки на объект            
Ссылка                      C:\WINDOWS\SYSTEM32\TASKS\STEAMCHARTTABLEBUILDER
                            
Ссылка                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F46ADFC3-FEB2-4F18-AF46-A075FD64C3C2}\Actions
Actions                     "regsvr32.exe" /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll
                            
Ссылка                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F46ADFC3-FEB2-4F18-AF46-A075FD64C3C2}\
                            

 

Link to comment
Share on other sites

"Задача" = "c:\windows\system32\tasks\SteamChartTableBuilder" ( 4: Неизвестно ) ;
"Командная строка" = "regsvr32.exe /s C:\****\Goodwin\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" ( 4: Неизвестно ) ; Run32Shell ;  ;

 

"Командная строка" = "regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" ( 4: Неизвестно ) ; Run32Shell ;  ;
"SHA1" = "" ( 4: Неизвестно ) ;
"Последнее время записи" = "2021/08/05  10:45" ( 4: Неизвестно ) ;
"Время создания" = "2021/08/05  10:45" ( 4: Неизвестно ) ;
"Размер файла" = "25600" ( 4: Неизвестно ) ;
"Описание файла" = "Run32Shell" ( 4: Неизвестно ) ;
"Название компании" = "" ( 4: Неизвестно ) ;
"Версия файла" = "1.2.0.0" ( 4: Неизвестно ) ;
"Имя продукта" = "Run32Shell" ( 4: Неизвестно ) ;
"Внутреннее имя" = "GoogleImageShell.dll" ( 4: Неизвестно ) ;
"Возраст (облака)" = "сегодня" ( 4: Неизвестно ) ;
"Объем (облака)" = "1" ( 4: Неизвестно ) ;
"Ссылается на" = "Задачи планировщика системы -> c:\windows\system32\tasks\SteamChartTableBuilder -> regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll"

 

 

 

Link to comment
Share on other sites

  • Administrators

The offending file is already detected. You may need to reboot the machine to enforce getting streamed updates that add detection.

Link to comment
Share on other sites

I have converted the Russian language posting above:

Quote

"Task" = "c:\windows\system32\tasks\SteamChartTableBuilder" (4: Unknown) ; "Command Line" = "regsvr32.exe /s C:\****\Goodwin\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" (4: Unknown) ;

Run32Shell ; ;

"Command Line" = "regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" (4: Unknown) ;
 
Run32Shell ; ;
 
"SHA1" = "" (4: Unknown) ;
"Last recorded" = "2021/08/05 10:45" (4: Unknown) ;
"Creation time" = "2021/08/05 10:45" (4: Unknown) ;
"File size" = "25600" (4: Unknown) ;
"File Description" = "Run32Shell" (4: Unknown) ;
"Company name" = "" (4: Unknown) ;
"File version" = "1.2.0.0" (4: Unknown) ;
"Product Name" = "Run32Shell" (4: Unknown) ;
"Internal name" = "GoogleImageShell.dll" (4: Unknown) ;
"Age (clouds)" = "today" (4: Unknown) ;
"Volume (clouds)" = "1" (4: Unknown) ;

"Refers to" = "System Scheduler Tasks -> c:\windows\system32\tasks\SteamChartTableBuilder -> regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll"

Question here is why the creation of a scheduled task to register a .dll was not flagged as suspicious? More so when the .dll is stored in a user AppData directory folder.

Edited by itman
Link to comment
Share on other sites

  • Administrators

What may look suspicious at the first sight, on a global worldwide scale it usually turns out to be a common practice that legit software uses.

Link to comment
Share on other sites

20 minutes ago, Marcos said:

What may look suspicious at the first sight, on a global worldwide scale it usually turns out to be a common practice that legit software uses.

Per expected response, this is why is use another security product to protect me against Win LOL binary attacks;

Eset_OSA.png.562657ceff45c2cc98f0baa5795d7340.png

Link to comment
Share on other sites

I will also add that I have had an Eset HIPS rule in place for some time to detect any child process startup from regsvc32.exe. It has never been triggered to date indicating such activity would be far from the norm. I also monitor any outbound network traffic from regsvc32.exe using an Eset firewall rule - see below why.

Then there is the infamous Casey Smith "squiblydoo" regsvr32.exe whitelisting bypass that reeked havoc for sometime after it was published and still does today:

Quote

Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.

https://car.mitre.org/analytics/CAR-2019-04-003/

It can allow for remote code execution by specify a C&C server IP address in the command line.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders
8 hours ago, itman said:

Per expected response, this is why is use another security product to protect me against Win LOL binary attacks;

Eset_OSA.png.562657ceff45c2cc98f0baa5795d7340.png

What can you do in Osarmor that can't be done through HIPS in EIS?

Link to comment
Share on other sites

8 minutes ago, NewbyUser said:

What can you do in Osarmor that can't be done through HIPS in EIS?

A hell of a lot more functionality.

For starters, it has full wildcard support. It's custom rules support detection and parsing of command line paths, etc. etc.. Also, a newer feature is whitelisting via Trusted Publisher specification.

 

Link to comment
Share on other sites

  • ESET Insiders

Yes, I know its easier, but aren't the same things possible? Outside the no wildcards I mean. Not part of the thread but one thing I don't about OSA is the 10MB "License Mgr"  Seems odd to me to need that much data/space to know if users legitimately bought the program. 

Link to comment
Share on other sites

6 minutes ago, NewbyUser said:

Not part of the thread but one thing I don't about OSA is the 10MB "License Mgr" 

That's the least of the unorthodox things it does. It packs its kernel mode device drivers and loads them on-the-fly.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...