Jump to content

PowerShell/PSW.CoinStealer.B


Recommended Posts

  • Administrators
1 hour ago, oscarr said:

Interesting! Don't think if it's of any use but this was the powershell script I found in that pNYnr7eT1 directory. Like said I think it's just a thing to help hiding the execution of something from the user. Since I don't get a nervous ESET anymore I think renaming the directory this thing was in helped. Or, something else got changed.

This is a slightly modified standard system file SyncAppvPublishingServer.vbs. It's not subject to detection.

Link to comment
Share on other sites

2 hours ago, Marcos said:

This is a slightly modified standard system file SyncAppvPublishingServer.vbs. It's not subject to detection.

And I have a problem with this. The only app that uses the script is MS Access 2010 that isn't supported anymore:

Eset_SyncAppv.thumb.png.766c59cd066d3324eccf999cfca69aa2.png

https://www.exefiles.com/en/vbs/syncappvpublishingserver-vbs/

Link to comment
Share on other sites

  • Administrators

C:\Windows\System32\SyncAppvPublishingServer.vbs  is a standard part of Windows. It's found even on the latest Windows 11:

image.png

Link to comment
Share on other sites

4 minutes ago, Marcos said:

C:\Windows\System32\SyncAppvPublishingServer.vbs  is a standard part of Windows. It's found even on the latest Windows 11

It falls into the category that Microsoft refers to as "deprecated" software. It goes w/o saying that a large chunk of known WIN LOL binary attacks deploy deprecated MS software.

Link to comment
Share on other sites

@Marcosusing Win 11 with all latest updates here as well, have them as well. 

@itman That's quite a list. I googled on how to exclude the programs on that list from execution but got already tired about all the steps or is there an easy way as well? For now I just rely on NOD32, never let me down.

Link to comment
Share on other sites

  • Administrators
1 minute ago, oscarr said:


@itman That's quite a list. I googled on how to exclude the programs on that list from execution but got already tired about all the steps or is there an easy way as well? For now I just rely on NOD32, never let me down.

System files are not subject to detection so excluding them should not be needed. Exclusions could be even dangerous in case they are not bound to SHA1; in case the system files got infected with a file infector, it would run undetected.

Likewise excluding them as processes would be dangerous since it would allow for running any scripts undetected.

Link to comment
Share on other sites

1 hour ago, oscarr said:

@itman That's quite a list. I googled on how to exclude the programs on that list from execution but got already tired about all the steps or is there an easy way as well? For now I just rely on NOD32, never let me down.

First, the Microsoft article is addressed to users of Windows Defender Application Control in regard to blocking undesirable system processes. I only posted it as an example of system processes Microsoft itself recommends be blocked.

For the average user concerned about malware based attacks misusing Win system binaries and like other misuses, I recommend OSArmor: https://www.osarmor.com/ . I use it myself. Out-of-the-box using its default rules, it will protect you against all known Win based living-off-the-land-attacks. Additionally, one can create their own custom rules using features I have asked Eset for since I started using it in 2014. These are global wildcard support and the like for the HIPS.

Additionally, the developer constantly updates the product when a newly discovered attack is found. Unfortunately, a free version of the product no longer exists. I have a lifetime 50% off purchase price license which makes its cost a bit more acceptable. 

Finally, note that OSA works like Eset's HIPS in block mode. When a detection is triggered, the activity is first blocked. You are then offered an Exclude option, if selected, will auto create an exclusion rule. This will allow you to rerun the prior blocked process w/o issue thereafter.

Link to comment
Share on other sites

On 5/12/2022 at 8:33 PM, JamesR said:

I would not recommend deleting powershell and replacing it.  Powershell is not infected, it is just being misused.

As it has been about a week, can you generate a new ESET Log Collector to provide here?  When running ESET Log Collector, please ensure to select the profile "All" before clicking the "Collect" button.  This will ensure we get as many logs as possible for this:
KB3466Fig1-1j.png

 

hi I attached the latest logs . But what schedule was under microsoft deleted but was under windows was not found

 

image.thumb.png.13befe4bb5b2fff79dc630a921d6441b.png

 

 

eis_logs.zip

Link to comment
Share on other sites

  • Administrators

Please run Windows Scheduler and delete the task Microsoft\Windows\7pggoez.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...