Headshot557 0 Posted August 5, 2021 Share Posted August 5, 2021 Hi ESET, I am getting this message every 15 to 20 seconds and don't know how to fix it. a threat (MSIL/coinminer.BLB) was found in a file that dotnet tried to access Please help Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted August 5, 2021 Most Valued Members Share Posted August 5, 2021 36 minutes ago, Headshot557 said: Hi ESET, I am getting this message every 15 to 20 seconds and don't know how to fix it. a threat (MSIL/coinminer.BLB) was found in a file that dotnet tried to access Please help Have you installed/downloaded anything lately as it seems you have a coinminer. Does this occur only when the browser is open? If so could be an addon Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted August 5, 2021 Administrators Share Posted August 5, 2021 For a start please provide logs collected with ESET Log Collector. Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 5, 2021 Share Posted August 5, 2021 (edited) I found a recent thread in this forum directly related to this coinminer: https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/page/2/ . Run an Eset scan preferably as Administrator. Eset should remove the coinminer and stop the alerts being displayed. -EDIT- Previous detections of this coin-miner showed that this folder, C:\Users\xxxxxx\AppData\Roaming\Microsoft\HashCalc\MD5, contains a .exe and .dll used by the coin-miner. Edited August 5, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 5, 2021 Share Posted August 5, 2021 A few sources for a HashCalc download are shown below. My money is on the Google Play app as the culprit: hxxps://www.slavasoft.com/hashcalc/ hxxps://play.google.com/store/apps/details?id=com.goyalsoftech.hashcalc&hl=en_US&gl=US Link to comment Share on other sites More sharing options...
safety 8 Posted August 6, 2021 Share Posted August 6, 2021 check this file. there is no detection on it yet Quote Полное имя C:\USERS\***\APPDATA\ROAMING\STEAMAPI\CHARTTABLE\GAMESLIST\STEAMAPILIB.DLL Имя файла STEAMAPILIB.DLL Тек. статус АКТИВНЫЙ ?ВИРУС? ВИРУС ВНЕДРЯЕМЫЙ ПОДОЗРИТЕЛЬНЫЙ DLL в автозапуске [Запускался неявно или вручную] Обнаруженные сигнатуры Сигнатура MSIL/Agent.TPR [ESET-NOD32] (delall) [глубина совпадения 64(64), необх. минимум 64, максимум 64] 2020-03-07 www.virustotal.com 2021-08-05 22:58 [2021-08-05] - Файл был чист на момент проверки. Удовлетворяет критериям TR.BITCOIN-MINER (ССЫЛКА ~ \TASKS\STEAM)(1) [auto (0)] Сохраненная информация на момент создания образа Статус АКТИВНЫЙ ВНЕДРЯЕМЫЙ DLL в автозапуске [Запускался неявно или вручную] File_Id 610AB432E000 Linker 11.0 Размер 25600 байт Создан 05.08.2021 в 11:58:40 Изменен 05.08.2021 в 11:58:40 TimeStamp 04.08.2021 в 15:37:22 EntryPoint + OS Version 0.0 Subsystem Windows character-mode user interface (CUI) subsystem IMAGE_FILE_DLL + IMAGE_FILE_EXECUTABLE_IMAGE + Тип файла 64-х битный ИСПОЛНЯЕМЫЙ Цифр. подпись Отсутствует либо ее не удалось проверить Оригинальное имя GoogleImageShell.dll Версия файла 1.2.0.0 Описание Run32Shell Производитель Комментарий Доп. информация на момент обновления списка Файл C:\WINDOWS\SYSTEM32\REGSVR32.EXE CmdLine regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll CmdLine /S C:\USERS\***\APPDATA\ROAMING\STEAMAPI\CHARTTABLE\GAMESLIST\STEAMAPILIB.DLL SHA1 CEF5AA279F639D500F83F51AE3BB846A2908019D MD5 97000AA67D7D8D6818383B683EB0C7CC Процессы на момент обновления списка Процесс C:\WINDOWS\SYSTEM32\REGSVR32.EXE [2424] Ссылки на объект Ссылка C:\WINDOWS\SYSTEM32\TASKS\STEAMCHARTTABLEBUILDER Ссылка HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F46ADFC3-FEB2-4F18-AF46-A075FD64C3C2}\Actions Actions "regsvr32.exe" /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll Ссылка HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F46ADFC3-FEB2-4F18-AF46-A075FD64C3C2}\ Link to comment Share on other sites More sharing options...
safety 8 Posted August 6, 2021 Share Posted August 6, 2021 "Задача" = "c:\windows\system32\tasks\SteamChartTableBuilder" ( 4: Неизвестно ) ; "Командная строка" = "regsvr32.exe /s C:\****\Goodwin\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" ( 4: Неизвестно ) ; Run32Shell ; ; "Командная строка" = "regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" ( 4: Неизвестно ) ; Run32Shell ; ; "SHA1" = "" ( 4: Неизвестно ) ; "Последнее время записи" = "2021/08/05 10:45" ( 4: Неизвестно ) ; "Время создания" = "2021/08/05 10:45" ( 4: Неизвестно ) ; "Размер файла" = "25600" ( 4: Неизвестно ) ; "Описание файла" = "Run32Shell" ( 4: Неизвестно ) ; "Название компании" = "" ( 4: Неизвестно ) ; "Версия файла" = "1.2.0.0" ( 4: Неизвестно ) ; "Имя продукта" = "Run32Shell" ( 4: Неизвестно ) ; "Внутреннее имя" = "GoogleImageShell.dll" ( 4: Неизвестно ) ; "Возраст (облака)" = "сегодня" ( 4: Неизвестно ) ; "Объем (облака)" = "1" ( 4: Неизвестно ) ; "Ссылается на" = "Задачи планировщика системы -> c:\windows\system32\tasks\SteamChartTableBuilder -> regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted August 6, 2021 Administrators Share Posted August 6, 2021 The offending file is already detected. You may need to reboot the machine to enforce getting streamed updates that add detection. Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 6, 2021 Share Posted August 6, 2021 (edited) I have converted the Russian language posting above: Quote "Task" = "c:\windows\system32\tasks\SteamChartTableBuilder" (4: Unknown) ; "Command Line" = "regsvr32.exe /s C:\****\Goodwin\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" (4: Unknown) ; Run32Shell ; ; "Command Line" = "regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" (4: Unknown) ; Run32Shell ; ; "SHA1" = "" (4: Unknown) ; "Last recorded" = "2021/08/05 10:45" (4: Unknown) ; "Creation time" = "2021/08/05 10:45" (4: Unknown) ; "File size" = "25600" (4: Unknown) ; "File Description" = "Run32Shell" (4: Unknown) ; "Company name" = "" (4: Unknown) ; "File version" = "1.2.0.0" (4: Unknown) ; "Product Name" = "Run32Shell" (4: Unknown) ; "Internal name" = "GoogleImageShell.dll" (4: Unknown) ; "Age (clouds)" = "today" (4: Unknown) ; "Volume (clouds)" = "1" (4: Unknown) ; "Refers to" = "System Scheduler Tasks -> c:\windows\system32\tasks\SteamChartTableBuilder -> regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" Question here is why the creation of a scheduled task to register a .dll was not flagged as suspicious? More so when the .dll is stored in a user AppData directory folder. Edited August 6, 2021 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted August 6, 2021 Administrators Share Posted August 6, 2021 What may look suspicious at the first sight, on a global worldwide scale it usually turns out to be a common practice that legit software uses. Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 6, 2021 Share Posted August 6, 2021 20 minutes ago, Marcos said: What may look suspicious at the first sight, on a global worldwide scale it usually turns out to be a common practice that legit software uses. Per expected response, this is why is use another security product to protect me against Win LOL binary attacks; Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 6, 2021 Share Posted August 6, 2021 (edited) I will also add that I have had an Eset HIPS rule in place for some time to detect any child process startup from regsvc32.exe. It has never been triggered to date indicating such activity would be far from the norm. I also monitor any outbound network traffic from regsvc32.exe using an Eset firewall rule - see below why. Then there is the infamous Casey Smith "squiblydoo" regsvr32.exe whitelisting bypass that reeked havoc for sometime after it was published and still does today: Quote Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS. https://car.mitre.org/analytics/CAR-2019-04-003/ It can allow for remote code execution by specify a C&C server IP address in the command line. Edited August 6, 2021 by itman Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted August 6, 2021 ESET Insiders Share Posted August 6, 2021 8 hours ago, itman said: Per expected response, this is why is use another security product to protect me against Win LOL binary attacks; What can you do in Osarmor that can't be done through HIPS in EIS? Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 6, 2021 Share Posted August 6, 2021 8 minutes ago, NewbyUser said: What can you do in Osarmor that can't be done through HIPS in EIS? A hell of a lot more functionality. For starters, it has full wildcard support. It's custom rules support detection and parsing of command line paths, etc. etc.. Also, a newer feature is whitelisting via Trusted Publisher specification. Guilhermesene and NewbyUser 2 Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 6, 2021 Share Posted August 6, 2021 BTW - the full MITRE attack matrix for regsvc32.exe is here: https://attack.mitre.org/techniques/T1218/010/ . The one that caught my eye as far as coin-mining goes is BlueMockingBird: https://redcanary.com/blog/blue-mockingbird-cryptominer/ Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted August 6, 2021 ESET Insiders Share Posted August 6, 2021 Yes, I know its easier, but aren't the same things possible? Outside the no wildcards I mean. Not part of the thread but one thing I don't about OSA is the 10MB "License Mgr" Seems odd to me to need that much data/space to know if users legitimately bought the program. Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 6, 2021 Share Posted August 6, 2021 (edited) 6 minutes ago, NewbyUser said: Not part of the thread but one thing I don't about OSA is the 10MB "License Mgr" That's the least of the unorthodox things it does. It packs its kernel mode device drivers and loads them on-the-fly. Edited August 6, 2021 by itman NewbyUser 1 Link to comment Share on other sites More sharing options...
Recommended Posts