Jump to content

Win32/CoinMiner.BF


Recommended Posts

Hi all

The message "A potentially unwanted program (Win32 / CoinMiner.BF) has been detected in the file on your computer. File: attrib.exe (4976). Antivirus scanning does not help. How do I remove CoinMiner.BF?

 

1502333713_.png.a5e4a11806444d26b1007f2aba3bf583.png

Link to comment
Share on other sites

Here's an article on what I suspect is going on: https://www.bleepingcomputer.com/news/security/cryptocurrency-miner-plays-hide-and-seek-with-popular-games-and-tools/ for reference.

A malware process is injecting attrib.exe, a legit Win process, to run the coinminer. The process injection can be done via method noted in the bleepingcomputer.com article or by other methods.

Post the logs @Marcos requested.

Edited by itman
Link to comment
Share on other sites

3 hours ago, Roman_Broadway said:

Hi. Here are

Summon @itman :)

Only Eset moderators can access forum posting attachments. You will have to wait till @Marcos analyzes it.

Link to comment
Share on other sites

  • Administrators

Is the PUA detected shortly after a reboot? If so, please carry on as follows:
- create a Procmon boot log
- after a reboot stop logging only after the PUA has been detected and save the log (unfiltered)
- collect fresh logs with ELC and provide both logs for perusal.

Link to comment
Share on other sites

My solution to this is create an Eset HIPS rule to detect any process modification to C:\Windows\System32\attrib.exe and C:\Windows\SysWOW64\attrib.exe. Make it an Ask rule and set rule logging level to Warning.

When the Eset HIPS rule triggers, respond by allowing the activity. The post in the forum the HIPS log entries associated with this HIPS rule.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...