Jump to content

PowerShell/PSW.CoinStealer.B


Recommended Posts

Hey guys,

 

The title says it all.

 

I had this notification coming up after cleaning the other powershell popup from popping every time I turned on my PC.

 

It says:  Threat Removed

 

A threat  (PowerShell/PSW.CoinStealer.B)  was found in a File that  >_ Windows PowerShell  tried to access.

 

The access has been blocked.

 

Anyone had this nowadays or even before? Come forward please!

 

Cheers,

Link to comment
Share on other sites

Posted (edited)

First, post the entry from the Eset Detections log related to this. Right button mouse click on the entry and select "copy."

Next, did Eset detect this PoweShell based coin miner at system startup time, or sometime later?

Finally, repeat the Task Schedule procedure for the other PowerShell detection and verify that the NetServices task was not re-created.

-EDIT- Also have you installed any free games recently? Worse, have you installed cracked games or other software?

Edited by itman
Link to comment
Share on other sites

  • Administrators

How is it now? A while ago we've added a detection for one more command line which should now be detected as @Trojan.PowerShell/Agent.AFE. If it's detected and you reboot the machine then, does it eventually resolve the issues? You could provide fresh ELC logs for a check and to make sure there are no further malware leftovers.

Link to comment
Share on other sites

Hi ,

eset detect on the start up

 

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
6/5/2022 9:59:19 PM;AMSI scanner;file;script;PowerShell/PSW.CoinStealer.B trojan;blocked;HP-OMEN\SHARIF;;13DF47E8EE043D88ACC81942ECD827B8BD0F22A7;

 

this is my logs . I attached the ESET Log Collector logs .

 

 

Thank you

 

 

 

 

 

eis_logs.zip

Link to comment
Share on other sites

16 hours ago, itman said:

First, post the entry from the Eset Detections log related to this. Right button mouse click on the entry and select "copy."

Next, did Eset detect this PoweShell based coin miner at system startup time, or sometime later?

Finally, repeat the Task Schedule procedure for the other PowerShell detection and verify that the NetServices task was not re-created.

-EDIT- Also have you installed any free games recently? Worse, have you installed cracked games or other software?

First, working on the eset detections log but still don't how to it.

 

Next, ESEt detected that new powershell a few hours after doing some work on my PC.

 

Finally, repeated the Task Schedule thingy and NetServices was OFF or not present in the entry.

 

For the Edit part, Yes, guilty as charged and should never listen to others when installing cracked wares :(

 

Regards,

Link to comment
Share on other sites

  • Administrators

 

8 hours ago, sharif said:

this is my logs . I attached the ESET Log Collector logs .

Please provide me with:
C:\WINDOWS\{34A68307-58C5-4F29-9A41-9C7C0CECA01A}.txt
C:\WINDOWS\{0EAFDFE9-6C5F-4EF3-8CA3-16764C7036E9}.txt

Then run WIndows scheduler and delete these tasks:

Microsoft\Windows\YNbvqj\{0C8DCA40-B30A-414A-8C48-A7066C5571C8}
Microsoft\Windows\7pggoez\{0167B239-A303-4B3B-81BA-AAC4CE7F76C1}

After a reboot the threat should be no longer detected.

Link to comment
Share on other sites

Here is what I get a few mins after startup.

 

Hope it helps others and deal with these kinna situations!

 

@MarcosPlz standby for the info you've asked a few mins ago. I'm on it

Esest new trojan shot.jpg

Link to comment
Share on other sites

sorry Marcos, I misread the reply to sharif that was not me :P

 

I tried to edit my post and delete that part but could not do it :)

Link to comment
Share on other sites

17 hours ago, itman said:

First, post the entry from the Eset Detections log related to this. Right button mouse click on the entry and select "copy."

I believe here is whacchu wanted bro,

 

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
5/7/2022 2:21:06 PM;AMSI scanner;file;script;PowerShell/PSW.CoinStealer.B trojan;blocked;SPEC\Administrator;;5BCD98973668DD2C50E16C3B763AD89A3B722A9D;

 

Let me know if I'm on another planet :P

Link to comment
Share on other sites

  • Administrators
2 hours ago, Shogun1 said:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
5/7/2022 2:21:06 PM;AMSI scanner;file;script;PowerShell/PSW.CoinStealer.B trojan;blocked;SPEC\Administrator;;5BCD98973668DD2C50E16C3B763AD89A3B722A9D;

Please provide logs collected with ESET Log Collector.

Link to comment
Share on other sites

29 minutes ago, Marcos said:

Please provide logs collected with ESET Log Collector.

Here is the logs collected step-by-step according to your tutorial link,

 

But I have another bogey that I am going to post for ESET to deal with. After that I will format this PC and deal with the other one with the community here. The reason for that I can't format the other one sooner ... Having said, the Trojan guys must be laughing and saying goccha sucka :D

 

PS. I'll upping the other log collect very soon :)

eis_logs.zip

Link to comment
Share on other sites

  • Administrators
14 minutes ago, Shogun1 said:

Here is the logs collected step-by-step according to your tutorial link,

Please provide me with:
C:\Windows\5VTmiALPr\2ACEC626-3086-444A-9185-BF558A9220EE.txt
C:\Windows\System32\drivers\MUoZv\7959418D-665C-4D81-81BC-4BCD30492530.sys

Also provide ELC logs collected with "Threat detection" template selected in the ELC menu.
 

Link to comment
Share on other sites

4 minutes ago, Marcos said:

C:\Windows\5VTmiALPr\2ACEC626-3086-444A-9185-BF558A9220EE.txt
C:\Windows\System32\drivers\MUoZv\7959418D-665C-4D81-81BC-4BCD30492530.sys

I don't have these entries in my PC :(

Link to comment
Share on other sites

4 hours ago, Marcos said:

Please provide me with:

C:\Windows\System32\drivers\MUoZv\7959418D-665C-4D81-81BC-4BCD30492530.sys

It is possible the driver is being created/deleted "on the fly."

Eset_Drivers.thumb.png.ec6f5e14db87483fce7914f9cd12e231.png

 

Link to comment
Share on other sites

  • Administrators
5 hours ago, Shogun1 said:

I don't have these entries in my PC :(

Did you have display of hidden files enabled? I prefer using a file manager that shows all files, including hidden ones by default.

Link to comment
Share on other sites

Posted (edited)

It appears the OP is in the process of reformatting and reinstalling Windows on his infected devices. Under the current circumstances, that appears to be the advisable thing to do.

Once Windows is reinstalled, please refer to my recommendation posted here: https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150390 .

Also, please don't install cracked software again. Note that many of these are using a hacked installer to drop malware on devices.

Edited by itman
Link to comment
Share on other sites

11 hours ago, itman said:

It appears the OP is in the process of reformatting and reinstalling Windows on his infected devices. Under the current circumstances, that appears to be the advisable thing to do.

Once Windows is reinstalled, please refer to my recommendation posted here: https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150390 .

Also, please don't install cracked software again. Note that many of these are using a hacked installer to drop malware on devices.

DONE and DONE ma maaan 👍

 

I will get on my other laptop to deal with this unnecessary mishap during this world crisis from one side and these ruthless people from the other side!

 

All the best :)

 

PS. Will continue sharing what's going with my other PC shortly. Thanks yawl

 

@MarcosWill get on those entries sorted out shortly too coz I got same issue there with the situation!

Link to comment
Share on other sites

On 5/7/2022 at 8:14 AM, Marcos said:

  

Please provide me with:
C:\WINDOWS\{34A68307-58C5-4F29-9A41-9C7C0CECA01A}.txt
C:\WINDOWS\{0EAFDFE9-6C5F-4EF3-8CA3-16764C7036E9}.txt

Then run WIndows scheduler and delete these tasks:

Microsoft\Windows\YNbvqj\{0C8DCA40-B30A-414A-8C48-A7066C5571C8}
Microsoft\Windows\7pggoez\{0167B239-A303-4B3B-81BA-AAC4CE7F76C1}

After a reboot the threat should be no longer detected.

hi ,

Sorry for late replay .. I attached the required

 

{0EAFDFE9-6C5F-4EF3-8CA3-16764C7036E9}.txt {34A68307-58C5-4F29-9A41-9C7C0CECA01A}.txt

Link to comment
Share on other sites

Hi ,

Sorry how to delete the following tasks from the task schedule :

Microsoft\Windows\YNbvqj\{0C8DCA40-B30A-414A-8C48-A7066C5571C8}
Microsoft\Windows\7pggoez\{0167B239-A303-4B3B-81BA-AAC4CE7F76C1}

And how about deleting the poweshell file using linux live cd and copy a new file will it solve the issue ?

 

Link to comment
Share on other sites

  • ESET Staff
16 minutes ago, sharif said:

Hi ,

Sorry how to delete the following tasks from the task schedule :

Microsoft\Windows\YNbvqj\{0C8DCA40-B30A-414A-8C48-A7066C5571C8}
Microsoft\Windows\7pggoez\{0167B239-A303-4B3B-81BA-AAC4CE7F76C1}

And how about deleting the poweshell file using linux live cd and copy a new file will it solve the issue ?

 

I would not recommend deleting powershell and replacing it.  Powershell is not infected, it is just being misused.

As it has been about a week, can you generate a new ESET Log Collector to provide here?  When running ESET Log Collector, please ensure to select the profile "All" before clicking the "Collect" button.  This will ensure we get as many logs as possible for this:
KB3466Fig1-1j.png

Link to comment
Share on other sites

Posted (edited)
1 hour ago, sharif said:

Sorry how to delete the following tasks from the task schedule :

Microsoft\Windows\YNbvqj\{0C8DCA40-B30A-414A-8C48-A7066C5571C8}
Microsoft\Windows\7pggoez\{0167B239-A303-4B3B-81BA-AAC4CE7F76C1}

Open Windows Task Scheduler. Easiest way to do this is type "Task Scheduler" in Win 10 desktop toolbar Search window.

Once Task Manager is opened, the first thing to do is mouse click on the View tab and checkmark "Show Hidden Tasks."

Then open Task Scheduler Library folder.

Perform the following:

1. Open Microsoft folder.

2. Open Windows folder.

Navigate downward until 7pggoez folder is found. Open the 7pggoez folder. Delete the task named {0C8DCA40-B30A-414A-8C48-A7066C5571C8} by right button mouse clicking on it and selecting Delete. I am not sure if { and } will be shown at the beginning and end of the reg. key value. Note: if task named {0C8DCA40-B30A-414A-8C48-A7066C5571C8} cannot be found, take a screen shot of what tasks are displayed.

Navigate downward until YNbvqj folder is found. Open the YNbvqj folder. Delete the task named {0167B239-A303-4B3B-81BA-AAC4CE7F76C1} by right button mouse clicking on it and selecting Delete. Note: if task named {0167B239-A303-4B3B-81BA-AAC4CE7F76C1} cannot be found, take a screen shot of what tasks are displayed.

Edited by itman
Link to comment
Share on other sites

Hello!

I had the same nasty bugger every time I started my PC. The problem is a bit that ESET does say it found it and removed the thread but it doesn't give you any clue of where to look.

I looked at some other places and found a simple powershell script which is (I think) used to supress the output/errors from the execution of the 'coin stealer'. I think it's even a legit Microsoft script but it's located in an obscure directory. In my case it was windows/system32/pNYnr7eT1 and it's name was 'ABDA11A9-426A-4502-AD21-CF4E4B5F6D59'

Instead of looking in all logs I just started event viewer, looked under Applications and Services Logs > Windows PowerShell and checked the executions against the times the coin stealer was detected (see attachment),

That points me directly to the location of the virus/trojan itself which is C:\Windows\System32\drivers\DfTph\D13FD5F3-3DBE-4FF7-BEFA-932CA6538238.sys (a file of 4147kB).

I renamed that first directory where the normal script is located and I think it prevented the virus from getting active since ESET didn't said something after restart and the event viewer is also not showing the activity.

Nasty thing is that ESET itself doesn't recognize the .sys as a virus. But none did at VirusTotal: VirusTotal - File - bbbd57acdae11e57235a1270e6663b3ea9c7c80080aac07d2711dc4c3f08b098

If I can make someone happy with the .sys file, let me know. But wanted to react since it's way easier to just check EventViewer for weird powershell access.

Kind regards,

Oscar
 

Screenshot 2022-05-14 111834.png

Link to comment
Share on other sites

  • Administrators
1 hour ago, oscarr said:

Nasty thing is that ESET itself doesn't recognize the .sys as a virus. But none did at VirusTotal: VirusTotal - File - bbbd57acdae11e57235a1270e6663b3ea9c7c80080aac07d2711dc4c3f08b098

This file will not be detected. However, the malicious PowerShell script hiding in the log is detected by ESET:

PowerShell/PSW.CoinStealer.B trojan

If you are having issues with ESET cleaning the threat, please provide logs collected with ESET Log Collector.

Link to comment
Share on other sites

On 5/14/2022 at 5:21 AM, oscarr said:

That points me directly to the location of the virus/trojan itself which is C:\Windows\System32\drivers\DfTph\D13FD5F3-3DBE-4FF7-BEFA-932CA6538238.sys (a file of 4147kB).

I renamed that first directory where the normal script is located and I think it prevented the virus from getting active since ESET didn't said something after restart and the event viewer is also not showing the activity.

Nasty thing is that ESET itself doesn't recognize the .sys as a virus. But none did at VirusTotal: VirusTotal - File - bbbd57acdae11e57235a1270e6663b3ea9c7c80080aac07d2711dc4c3f08b098

Per the VT details posted, the .sys file is not a driver. Or for that matter, any file type identifiable by VT.

What's currently being deployed in the wild is a "two stage" Powershell attack to deploy coin miners on devices.

The first stage of the attack is to drop on the targeted device, a Base64 encrypted file containing the coin miner code. In reality, the file can use any suffix and can be dropped in any Win installation directory the attacker has access to. To date, a .txt file has been observed along with this .sys file instance.

The second stage of the attack drops the PowerShell script on the device and executes it. Part of the script execution processing is to access the prior dropped Base64 encrypted file, decrypt it, then "pipe" the coin miner code into PowerShell.exe  memory and execute it.

The last stage of the attack is to set a persistence mechanism so that the above PowerShell script runs at system startup time.

Link to comment
Share on other sites

Interesting! Don't think if it's of any use but this was the powershell script I found in that pNYnr7eT1 directory. Like said I think it's just a thing to help hiding the execution of something from the user. Since I don't get a nervous ESET anymore I think renaming the directory this thing was in helped. Or, something else got changed.

The file I dropped on VirusTotal is still there on it's original place but I don't get a popup anymore from ESET and I don't see it back in the EventLog. So I do have the feeling it is connected. I might have uninstalled some programs but it would be odd if uninstalling a program with a virus also removed the virus.

Anyway, I'm happy it seems gone and if someone needs a file to examine I'm happy to help.

ABDA11A9-426A-4502-AD21-CF4E4B5F6D59.txt

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...