win64/coinminer.afz

[B69 0]

Hallo,

I am not a computer expert but : 

I've been experiencing a notification via ESET for the past few months.

Win64/Coinminer.afz. ( Trojan horse) Object spoolsv.exe.

After the message, shut down the computer and start up again. How can I get rid of / fix this?

[Marcos 4,714]

Please provide logs collected with ESET Log Collector for a start. Make sure to select "Threat detection" in the ELC menu.

[Marcos 4,714]

It appears that you have excluded the process C:\Windows\System32\spoolsv.exe in which the malware was detected. This exclusion must be removed.

Is the threat detected after removing the process exclusion, disconnecting the machine from network and rebooting the machine?

[B69 0]

Marcos,

 

we have performed the above unfortunately this does not have the desired result.

Machine keeps seeing the coinminer and restarting .

See Log File

 

Also we did a boot with rescue disk Eset, with deep scan

Does not find anything  at all.

What to do?

 

eea_logs.zip

[itman 1,542]

Copy the the Eset Detections log entry related to this coin miner detection and post it in your next reply.

I, for one, am not convinced the spoolsv.exe process being abused here is the one resident in C:\Windows\System32\ directory.

[itman 1,542]

I will also ask if your Win OS version is fully patched?

Quote

Hackers Exploiting Recently Reported Windows Print Spooler Vulnerability in the Wild

A security flaw in the Windows Print Spooler component that was patched by Microsoft in February is being actively exploited in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned.

To that end, the agency has added the shortcoming to its Known Exploited Vulnerabilities Catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to address the issues by May 10, 2022.

Tracked as CVE-2022-22718 (CVSS score: 7.8), the security vulnerability is one among the four privilege escalation flaws in the Print Spooler that Microsoft resolved as part of its Patch Tuesday updates on February 8, 2022.

https://thehackernews.com/2022/04/hackers-exploiting-recently-reported.html

Edited May 13, 2022 by itman

[B69 0]

Machine fully patched. CVE-2022-22718 also processed. Machine continues to report. Anyone else have a suggestion?

[itman 1,542]

54 minutes ago, B69 said:

Anyone else have a suggestion?

You never posted the Eset Detections log entry I previously requested.

[B69 0]

ESVC_PC11_20220524115438.zip

[itman 1,542]

On 5/17/2022 at 12:12 PM, itman said:

You never posted the Eset Detections log entry I previously requested.

You need to copy and paste the log entry in your forum reply. Only Eset moderators can access a forum attachment.

[B69 0]

ESVC_PC11_20220524115438.zip

[itman 1,542]

On 5/30/2022 at 9:02 AM, itman said:

You need to copy and paste the log entry in your forum reply. Only Eset moderators can access a forum attachment.

Do not post the Detection log entry as an attachment. Copy and paste it into your forum reply.

To copy an Eset log entry, right button mouse click on the entry and select Copy. Then create a forum reply. Finally, right button mouse click in the reply window and select Paste.

[B69 0]

ESVC_PC11_20220524115438.zip

 

[Nightowl 187]

29 minutes ago, B69 said:

ESVC_PC11_20220524115438.zipUnavailable

 

What itman means is that you copy and paste what occured to you in the detection logs because the attachments cannot be opened by normal users , only by eset staff

you can copy and paste the text that appeared on the logs or just simply take a screenshot of it.

 

You can right click the detection of the CoinMiner and press Copy and then you can after that paste it to the forum here.

Edited June 13, 2022 by Nightowl

[B69 0]

Tijd;Scanner;Objecttype;Object;Detectie;Actie;Gebruiker;Informatie;Hash;Eerst gezien hier
29-6-2022 7:59:27;Geavanceerde geheugenscanner;bestand;Werkgeheugen » spoolsv.exe(1544);een variant van Win64/CoinMiner.AFZ trojaans paard;bevatte geïnfecteerde bestanden (na de volgende keer opnieuw opstarten);;;B6D31B120E905B753109CB0985C1F7818D10A40E;
 

[Marcos 4,714]

7 minutes ago, B69 said:

Tijd;Scanner;Objecttype;Object;Detectie;Actie;Gebruiker;Informatie;Hash;Eerst gezien hier
29-6-2022 7:59:27;Geavanceerde geheugenscanner;bestand;Werkgeheugen » spoolsv.exe(1544);een variant van Win64/CoinMiner.AFZ trojaans paard;bevatte geïnfecteerde bestanden (na de volgende keer opnieuw opstarten);;;B6D31B120E905B753109CB0985C1F7818D10A40E;
 

Please provide logs collected with ESET Log Collector and "Threat detection" template selected in ELC.

[itman 1,542]

BTW - the log entry translated yields:

Time;Scanner;ObjectType;Object;Detection;Action;User;Information;Hash;First seen here 6/29-2022 7:59:27;Advanced memory scanner;file;Memory memory » spoolsv.exe(1544);a variant of Win64/CoinMiner.AFZ trojan horse;contains infected files (after next reboot);;; B6D31B120E905B753109CB0985C1F7818D10A40E;

[B69 0]

[itman 1,542]

Very odd that your receiving the Eset detection activity once a month on the same date, the seventh. Must be a scheduled task set up to run monthly.

Also, whatever the source malware is, it is injecting spoolsv.exe.

You could try to create an Eset HIPS rule to monitor any process modification of C:\Windows\System32\spoolsvc.exe. Make sure you set the logging level to warning. If this rule is triggered by a non-legit Windows process, block it when the alert presents. However, this process runs as a Windows service; i.e. svchost.exe. It is possible the malware is starting svchost.exe in suspended mode and performing a process hollowing routine against spoolsv.exe to inject the malware.