CoinMiner detected

[Headshot557 0]

Hi ESET,

I am getting this message every 15 to 20 seconds and don't know how to fix it.

a threat (MSIL/coinminer.BLB) was found in a file that dotnet tried to access

 

Please help

 

 

[peteyt 393]

36 minutes ago, Headshot557 said:

Hi ESET,

I am getting this message every 15 to 20 seconds and don't know how to fix it.

a threat (MSIL/coinminer.BLB) was found in a file that dotnet tried to access

 

Please help

 

 

Have you installed/downloaded anything lately as it seems you have a coinminer. Does this occur only when the browser is open? If so could be an addon

[Marcos 5,074]

For a start please provide logs collected with ESET Log Collector.

[itman 1,659]

I found a recent thread in this forum directly related to this coinminer: https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/page/2/ .

Run an Eset scan preferably as Administrator. Eset should remove the coinminer and stop the alerts being displayed.

-EDIT- Previous detections of this coin-miner showed that this folder, C:\Users\xxxxxx\AppData\Roaming\Microsoft\HashCalc\MD5, contains a .exe and .dll used by the coin-miner.

Edited August 5, 2021 by itman

[itman 1,659]

A few sources for a HashCalc download are shown below. My money is on the Google Play app as the culprit:

hxxps://www.slavasoft.com/hashcalc/

hxxps://play.google.com/store/apps/details?id=com.goyalsoftech.hashcalc&hl=en_US&gl=US

[safety 8]

check this file. there is no detection on it yet

 

Quote

Полное имя                  C:\USERS\***\APPDATA\ROAMING\STEAMAPI\CHARTTABLE\GAMESLIST\STEAMAPILIB.DLL
Имя файла                   STEAMAPILIB.DLL
Тек. статус                 АКТИВНЫЙ ?ВИРУС? ВИРУС ВНЕДРЯЕМЫЙ ПОДОЗРИТЕЛЬНЫЙ DLL в автозапуске [Запускался неявно или вручную]
                            
Обнаруженные сигнатуры      
Сигнатура                   MSIL/Agent.TPR [ESET-NOD32] (delall) [глубина совпадения 64(64), необх. минимум 64, максимум 64] 2020-03-07
                            
www.virustotal.com          2021-08-05 22:58 [2021-08-05]
-                           Файл был чист на момент проверки.
                            
Удовлетворяет критериям     
TR.BITCOIN-MINER            (ССЫЛКА ~ \TASKS\STEAM)(1) [auto (0)]
                            
Сохраненная информация      на момент создания образа
Статус                      АКТИВНЫЙ ВНЕДРЯЕМЫЙ DLL в автозапуске [Запускался неявно или вручную]
File_Id                     610AB432E000
Linker                      11.0
Размер                      25600 байт
Создан                      05.08.2021 в 11:58:40
Изменен                     05.08.2021 в 11:58:40
                            
TimeStamp                   04.08.2021 в 15:37:22
EntryPoint                  +
OS Version                  0.0
Subsystem                   Windows character-mode user interface (CUI) subsystem
IMAGE_FILE_DLL              +
IMAGE_FILE_EXECUTABLE_IMAGE +
Тип файла                   64-х битный ИСПОЛНЯЕМЫЙ
Цифр. подпись               Отсутствует либо ее не удалось проверить
                            
Оригинальное имя            GoogleImageShell.dll
Версия файла                1.2.0.0
Описание                    Run32Shell
Производитель               
Комментарий                 
                            
Доп. информация             на момент обновления списка
Файл                        C:\WINDOWS\SYSTEM32\REGSVR32.EXE
CmdLine                     regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll
CmdLine                     /S C:\USERS\***\APPDATA\ROAMING\STEAMAPI\CHARTTABLE\GAMESLIST\STEAMAPILIB.DLL
SHA1                        CEF5AA279F639D500F83F51AE3BB846A2908019D
MD5                         97000AA67D7D8D6818383B683EB0C7CC
                            
Процессы                    на момент обновления списка
Процесс                     C:\WINDOWS\SYSTEM32\REGSVR32.EXE [2424]
                            
Ссылки на объект            
Ссылка                      C:\WINDOWS\SYSTEM32\TASKS\STEAMCHARTTABLEBUILDER
                            
Ссылка                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F46ADFC3-FEB2-4F18-AF46-A075FD64C3C2}\Actions
Actions                     "regsvr32.exe" /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll
                            
Ссылка                      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F46ADFC3-FEB2-4F18-AF46-A075FD64C3C2}\
                            

 

[safety 8]

"Задача" = "c:\windows\system32\tasks\SteamChartTableBuilder" ( 4: Неизвестно ) ;
"Командная строка" = "regsvr32.exe /s C:\****\Goodwin\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" ( 4: Неизвестно ) ; Run32Shell ;  ;

 

"Командная строка" = "regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" ( 4: Неизвестно ) ; Run32Shell ;  ;
"SHA1" = "" ( 4: Неизвестно ) ;
"Последнее время записи" = "2021/08/05  10:45" ( 4: Неизвестно ) ;
"Время создания" = "2021/08/05  10:45" ( 4: Неизвестно ) ;
"Размер файла" = "25600" ( 4: Неизвестно ) ;
"Описание файла" = "Run32Shell" ( 4: Неизвестно ) ;
"Название компании" = "" ( 4: Неизвестно ) ;
"Версия файла" = "1.2.0.0" ( 4: Неизвестно ) ;
"Имя продукта" = "Run32Shell" ( 4: Неизвестно ) ;
"Внутреннее имя" = "GoogleImageShell.dll" ( 4: Неизвестно ) ;
"Возраст (облака)" = "сегодня" ( 4: Неизвестно ) ;
"Объем (облака)" = "1" ( 4: Неизвестно ) ;
"Ссылается на" = "Задачи планировщика системы -> c:\windows\system32\tasks\SteamChartTableBuilder -> regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll"

 

 

 

[Marcos 5,074]

The offending file is already detected. You may need to reboot the machine to enforce getting streamed updates that add detection.

[itman 1,659]

I have converted the Russian language posting above:

Quote

"Task" = "c:\windows\system32\tasks\SteamChartTableBuilder" (4: Unknown) ; "Command Line" = "regsvr32.exe /s C:\****\Goodwin\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" (4: Unknown) ;

Run32Shell ; ;

"Command Line" = "regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll" (4: Unknown) ;
 
Run32Shell ; ;
 
"SHA1" = "" (4: Unknown) ;
"Last recorded" = "2021/08/05 10:45" (4: Unknown) ;
"Creation time" = "2021/08/05 10:45" (4: Unknown) ;
"File size" = "25600" (4: Unknown) ;
"File Description" = "Run32Shell" (4: Unknown) ;
"Company name" = "" (4: Unknown) ;
"File version" = "1.2.0.0" (4: Unknown) ;
"Product Name" = "Run32Shell" (4: Unknown) ;
"Internal name" = "GoogleImageShell.dll" (4: Unknown) ;
"Age (clouds)" = "today" (4: Unknown) ;
"Volume (clouds)" = "1" (4: Unknown) ;

"Refers to" = "System Scheduler Tasks -> c:\windows\system32\tasks\SteamChartTableBuilder -> regsvr32.exe /s C:\Users\***\AppData\Roaming\SteamApi\ChartTable\GamesList\SteamApiLib.dll"

Question here is why the creation of a scheduled task to register a .dll was not flagged as suspicious? More so when the .dll is stored in a user AppData directory folder.

Edited August 6, 2021 by itman

[Marcos 5,074]

What may look suspicious at the first sight, on a global worldwide scale it usually turns out to be a common practice that legit software uses.

[itman 1,659]

20 minutes ago, Marcos said:

What may look suspicious at the first sight, on a global worldwide scale it usually turns out to be a common practice that legit software uses.

Per expected response, this is why is use another security product to protect me against Win LOL binary attacks;

[itman 1,659]

I will also add that I have had an Eset HIPS rule in place for some time to detect any child process startup from regsvc32.exe. It has never been triggered to date indicating such activity would be far from the norm. I also monitor any outbound network traffic from regsvc32.exe using an Eset firewall rule - see below why.

Then there is the infamous Casey Smith "squiblydoo" regsvr32.exe whitelisting bypass that reeked havoc for sometime after it was published and still does today:

Quote

Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.

https://car.mitre.org/analytics/CAR-2019-04-003/

It can allow for remote code execution by specify a C&C server IP address in the command line.

Edited August 6, 2021 by itman

[NewbyUser 73]

8 hours ago, itman said:

Per expected response, this is why is use another security product to protect me against Win LOL binary attacks;

What can you do in Osarmor that can't be done through HIPS in EIS?

[itman 1,659]

8 minutes ago, NewbyUser said:

What can you do in Osarmor that can't be done through HIPS in EIS?

A hell of a lot more functionality.

For starters, it has full wildcard support. It's custom rules support detection and parsing of command line paths, etc. etc.. Also, a newer feature is whitelisting via Trusted Publisher specification.

 

[itman 1,659]

BTW - the full MITRE attack matrix for regsvc32.exe is here: https://attack.mitre.org/techniques/T1218/010/ . The one that caught my eye as far as coin-mining goes is BlueMockingBird: https://redcanary.com/blog/blue-mockingbird-cryptominer/

[NewbyUser 73]

Yes, I know its easier, but aren't the same things possible? Outside the no wildcards I mean. Not part of the thread but one thing I don't about OSA is the 10MB "License Mgr"  Seems odd to me to need that much data/space to know if users legitimately bought the program. 

[itman 1,659]

6 minutes ago, NewbyUser said:

Not part of the thread but one thing I don't about OSA is the 10MB "License Mgr" 

That's the least of the unorthodox things it does. It packs its kernel mode device drivers and loads them on-the-fly.

Edited August 6, 2021 by itman