Jump to content

win64/coinminer.afz


Recommended Posts

Hallo,

I am not a computer expert but : 

I've been experiencing a notification via ESET for the past few months.

Win64/Coinminer.afz. ( Trojan horse) Object spoolsv.exe.

After the message, shut down the computer and start up again. How can I get rid of / fix this?

Link to comment
Share on other sites

  • Administrators

It appears that you have excluded the process C:\Windows\System32\spoolsv.exe in which the malware was detected. This exclusion must be removed.

Is the threat detected after removing the process exclusion, disconnecting the machine from network and rebooting the machine?

Link to comment
Share on other sites

Marcos,

 

we have performed the above unfortunately this does not have the desired result.

Machine keeps seeing the coinminer and restarting .

See Log File

 

Also we did a boot with rescue disk Eset, with deep scan

Does not find anything  at all.

What to do?

 

eea_logs.zip

Link to comment
Share on other sites

Copy the the Eset Detections log entry related to this coin miner detection and post it in your next reply.

I, for one, am not convinced the spoolsv.exe process being abused here is the one resident in C:\Windows\System32\ directory.

Link to comment
Share on other sites

Posted (edited)

I will also ask if your Win OS version is fully patched?

Quote

Hackers Exploiting Recently Reported Windows Print Spooler Vulnerability in the Wild

A security flaw in the Windows Print Spooler component that was patched by Microsoft in February is being actively exploited in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned.

To that end, the agency has added the shortcoming to its Known Exploited Vulnerabilities Catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to address the issues by May 10, 2022.

Tracked as CVE-2022-22718 (CVSS score: 7.8), the security vulnerability is one among the four privilege escalation flaws in the Print Spooler that Microsoft resolved as part of its Patch Tuesday updates on February 8, 2022.

https://thehackernews.com/2022/04/hackers-exploiting-recently-reported.html

Edited by itman
Link to comment
Share on other sites

Machine fully patched. CVE-2022-22718 also processed. Machine continues to report. Anyone else have a suggestion?

Link to comment
Share on other sites

54 minutes ago, B69 said:

Anyone else have a suggestion?

You never posted the Eset Detections log entry I previously requested.

Link to comment
Share on other sites

  • 2 weeks later...
On 5/17/2022 at 12:12 PM, itman said:

You never posted the Eset Detections log entry I previously requested.

You need to copy and paste the log entry in your forum reply. Only Eset moderators can access a forum attachment.

Link to comment
Share on other sites

On 5/30/2022 at 9:02 AM, itman said:

You need to copy and paste the log entry in your forum reply. Only Eset moderators can access a forum attachment.

Do not post the Detection log entry as an attachment. Copy and paste it into your forum reply.

To copy an Eset log entry, right button mouse click on the entry and select Copy. Then create a forum reply. Finally, right button mouse click in the reply window and select Paste.

Link to comment
Share on other sites

  • 2 weeks later...
  • Most Valued Members
Posted (edited)
29 minutes ago, B69 said:

What itman means is that you copy and paste what occured to you in the detection logs because the attachments cannot be opened by normal users , only by eset staff

you can copy and paste the text that appeared on the logs or just simply take a screenshot of it.

 

You can right click the detection of the CoinMiner and press Copy and then you can after that paste it to the forum here.

Edited by Nightowl
Link to comment
Share on other sites

  • 3 weeks later...

Tijd;Scanner;Objecttype;Object;Detectie;Actie;Gebruiker;Informatie;Hash;Eerst gezien hier
29-6-2022 7:59:27;Geavanceerde geheugenscanner;bestand;Werkgeheugen » spoolsv.exe(1544);een variant van Win64/CoinMiner.AFZ trojaans paard;bevatte geïnfecteerde bestanden (na de volgende keer opnieuw opstarten);;;B6D31B120E905B753109CB0985C1F7818D10A40E;
 

Link to comment
Share on other sites

  • Administrators
7 minutes ago, B69 said:

Tijd;Scanner;Objecttype;Object;Detectie;Actie;Gebruiker;Informatie;Hash;Eerst gezien hier
29-6-2022 7:59:27;Geavanceerde geheugenscanner;bestand;Werkgeheugen » spoolsv.exe(1544);een variant van Win64/CoinMiner.AFZ trojaans paard;bevatte geïnfecteerde bestanden (na de volgende keer opnieuw opstarten);;;B6D31B120E905B753109CB0985C1F7818D10A40E;
 

Please provide logs collected with ESET Log Collector and "Threat detection" template selected in ELC.

Link to comment
Share on other sites

BTW - the log entry translated yields:

Time;Scanner;ObjectType;Object;Detection;Action;User;Information;Hash;First seen here 6/29-2022 7:59:27;Advanced memory scanner;file;Memory memory » spoolsv.exe(1544);a variant of Win64/CoinMiner.AFZ trojan horse;contains infected files (after next reboot);;; B6D31B120E905B753109CB0985C1F7818D10A40E;

Link to comment
Share on other sites

Very odd that your receiving the Eset detection activity once a month on the same date, the seventh. Must be a scheduled task set up to run monthly.

Also, whatever the source malware is, it is injecting spoolsv.exe.

You could try to create an Eset HIPS rule to monitor any process modification of C:\Windows\System32\spoolsvc.exe. Make sure you set the logging level to warning. If this rule is triggered by a non-legit Windows process, block it when the alert presents. However, this process runs as a Windows service; i.e. svchost.exe. It is possible the malware is starting svchost.exe in suspended mode and performing a process hollowing routine against spoolsv.exe to inject the malware.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...