Jump to content

Win32/CoinMiner.BF


Recommended Posts

Hi all

The message "A potentially unwanted program (Win32 / CoinMiner.BF) has been detected in the file on your computer. File: attrib.exe (4976). Antivirus scanning does not help. How do I remove CoinMiner.BF?

 

1502333713_.png.a5e4a11806444d26b1007f2aba3bf583.png

Link to comment
Share on other sites

Here's an article on what I suspect is going on: https://www.bleepingcomputer.com/news/security/cryptocurrency-miner-plays-hide-and-seek-with-popular-games-and-tools/ for reference.

A malware process is injecting attrib.exe, a legit Win process, to run the coinminer. The process injection can be done via method noted in the bleepingcomputer.com article or by other methods.

Post the logs @Marcos requested.

Edited by itman
Link to comment
Share on other sites

3 hours ago, Roman_Broadway said:

Hi. Here are

Summon @itman :)

Only Eset moderators can access forum posting attachments. You will have to wait till @Marcos analyzes it.

Link to comment
Share on other sites

  • Administrators

Is the PUA detected shortly after a reboot? If so, please carry on as follows:
- create a Procmon boot log
- after a reboot stop logging only after the PUA has been detected and save the log (unfiltered)
- collect fresh logs with ELC and provide both logs for perusal.

Link to comment
Share on other sites

My solution to this is create an Eset HIPS rule to detect any process modification to C:\Windows\System32\attrib.exe and C:\Windows\SysWOW64\attrib.exe. Make it an Ask rule and set rule logging level to Warning.

When the Eset HIPS rule triggers, respond by allowing the activity. The post in the forum the HIPS log entries associated with this HIPS rule.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...