Address has been blocked

[Rep 0]

This address is being blocked and appears all the time, even when I don't have the browser open.

 

 

 

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Hora">26/09/2023 0:04:11</COLUMN>
      <COLUMN NAME="URL">https://controlpanel29.com</COLUMN>
      <COLUMN NAME="Estado">Bloqueado</COLUMN>
      <COLUMN NAME="Detección">Lista negra Anti-Phishing</COLUMN>
      <COLUMN NAME="Aplicación">C:\Windows\explorer.exe</COLUMN>
      <COLUMN NAME="Usuario">NT AUTHORITY\SYSTEM</COLUMN>
      <COLUMN NAME="Dirección IP">139.28.38.154</COLUMN>
      <COLUMN NAME="Hash">F6F8C077C21EB30CB71DC9CA294C6CCE11579D91</COLUMN>
    </RECORD>
 </LOG>
</ESET>

 

 

[Marcos 4,919]

Please provide logs collected with ESET Log Collector for a start.

[murko 0]

Hi, I have exactly the same issue. Attached screen + logs (per instruction in the eset log collector).

ees_logs-02102023.zip

[itman 1,629]

The IP address is associated with Zemlyaniy Dmitro Leonidovich;

Quote

We consider Zemlyaniy Dmitro Leonidovich to be a potentially high fraud risk ISP, by which we mean that web traffic from this ISP potentially poses a high risk of being fraudulent. Other types of traffic may pose a different risk or no risk. They operate 18,407 IP addresses, some of which are running servers and anonymizing VPNs. They manage IP addresses for organisations including Zemlyaniy Dmitro Leonidovich, DeltaHost, and NetProtect LLC. Scamalytics see low levels of web traffic from this ISP across our global network, most of which is, in our view, fraudulent. We apply a risk score of 75/100 to Zemlyaniy Dmitro Leonidovich, meaning that of the web traffic where we have visibility, approximately 75% is suspected to be potentially fraudulent.

https://scamalytics.com/ip/isp/zemlyaniy-dmitro-leonidovich

-EDIT- Although Zemlyaniy Dmitro Leonidovich overall is suspect, this particular IP address looks OK: https://scamalytics.com/ip/139.28.38.154

Edited October 2 by itman

[Marcos 4,919]

PowerShell/Agent.AEW trojan is being continually detected, we'll need a registry dump for perusal. Please collect fresh ECL logs with "Threat detection" template selected in the ELC menu.

[itman 1,629]

One thing to be pointed out is the detection's posted in this thread are originating from explorer.exe. This is highly suspect and  "smells" of malware activity.

[murko 0]

1 hour ago, Marcos said:

PowerShell/Agent.AEW trojan is being continually detected, we'll need a registry dump for perusal. Please collect fresh ECL logs with "Threat detection" template selected in the ESET Log Collector menu.

 

ees_logs-02102023-threatdetection.zip

[Marcos 4,919]

Does deleting HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{26D015BE-52F8-423E-B5A2-512B57B991A1} in safe mode make a difference?

Also please provide me with the file c:\program files\windowsmalwareprotection\config\systemreset.exe.

[murko 0]

6 hours ago, Marcos said:

Does deleting HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{26D015BE-52F8-423E-B5A2-512B57B991A1} in safe mode make a difference?

Also please provide me with the file c:\program files\windowsmalwareprotection\config\systemreset.exe.

Hi, I dont have that regedit entry anymore (I ran MalwareBytes in meanwhile, there were some entries which were deleted, cant remember now). In attachment is the req file.systemreset.rar

EDIT: MalwareBytes log:mb-results.txt

EDIT2: It does not make any difference, the issue still persists.

Edited October 3 by murko
Attached MalwareBytes log

[itman 1,629]

Prior incidents of PowerShell/Agent.AEW trojan in the forum usually involved the creation of a Win service: https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150342 ; the service running SyncAppvPublishingServer.vbs; with the service being started via scheduled task.

This current instance is different. It appears explorer.exe connects to the domain in question to either download the PowerShell malware or to run it remotely. In a remote PowerShell attack, the script being deployed must exist on the target device. So it is possible what is attempting to download from this domain is the script.

SysInternal's Autoruns migh be of assistance here looking for suspect explorer.exe task running at system startup time.

[Marcos 4,919]

Please delete systemreset.exe. It's a 1,4 GB Themida malware, specifically CoinMiner. Will be detected as Win64/Packed.Themida.QI trojan.

[murko 0]

18 minutes ago, Marcos said:

Please delete systemreset.exe. It's a 1,4 GB Themida malware, specifically CoinMiner. Will be detected as Win64/Packed.Themida.QI trojan.

Hi, seems it fixed the issue, so far no connection attempts to that IP.

[itman 1,629]

Here's Malwarebytes remediation of the bugger: https://forums.malwarebytes.com/topic/297568-program-fileswindowsmalwareprotection-systemresetexe-malware-removal/ . Problem is the fixlist isn't available.

[murko 0]

24 minutes ago, itman said:

Prior incidents of PowerShell/Agent.AEW trojan in the forum usually involved the creation of a Win service: https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150342 ; the service running SyncAppvPublishingServer.vbs; with the service being started via scheduled task.

This current instance is different. It appears explorer.exe connects to the domain in question to either download the PowerShell malware or to run it remotely. In a remote PowerShell attack, the script being deployed must exist on the target device. So it is possible what is attempting to download from this domain is the script.

SysInternal's Autoruns migh be of assistance here looking for suspect explorer.exe task running at system startup time.

Hi, what would you need from the Autoruns?

[murko 0]

Well, the joy was only temporary.  After around 13min, the issue is back. Also see the attached screen, apart from explorer.exe, cmd.exe is being also listed.

[itman 1,629]

As far as Autoruns goes of note is this from the Malwarebytes posting;

Quote

I have disabled 2 scheduled tasks and removed triggers for now:
System32\Tasks\MicrosoftMalwareProtection
System32\Tasks\systemreset

Run Autoruns64.exe. Once it fully initializes, search for MicrosoftMalwareProtection and systemreset. Take a screenshot of the section where they are located. Don't modify anything yet.

[murko 0]

1 hour ago, itman said:

As far as Autoruns goes of note is this from the Malwarebytes posting;

Run Autoruns64.exe. Once it fully initializes, search for MicrosoftMalwareProtection and systemreset. Take a screenshot of the section where they are located. Don't modify anything yet.

This is for systemreset:

For MicrosoftMalwareProtection there is nothing, only remotely similiar is: WindowsMalwareProtection

[Marcos 4,919]

Please provide the content of the C:\Program Files\WindowsMalwareProtection folder. Move the folder to c:\esetvir for instance and reboot the machine.

You can then select the 2 scheduled tasks and delete them.

[murko 0]

12 minutes ago, Marcos said:

Please provide the content of the C:\Program Files\WindowsMalwareProtection folder. Move the folder to c:\esetvir for instance and reboot the machine.

You can then select the 2 scheduled tasks and delete them.

C:\Program Files\WindowsMalwareProtection : WindowsMalwareProtection.rar

[murko 0]

After removing the task schedule entries + WindowsMalwareProtection folder, it seems its finally resolved, at least for now - almost 45min without issue.

[itman 1,629]

Another posting about this bugger on Reddit;

Quote

I think I have found it. It is an executable called MicrosoftMalwareProtection.exe under C:/Program Files/ WindowsMalwareProtection/config. Everything in this folder is signed by Microsoft except for that one. It is executed at start up and a conhost with that weird command is called by it. 99% it is a malware. I'll try to reverse engineering it to find out what it does.

Yesterday I opened the task manager and noticed an unusually high RAM usage. I went in the processes list and nothing, everything looked fine. So I started digging a little and found out that there is a conhost process that is using around 2.5 GB of RAM and that doesn't show up in the task manager. Here is a picture with the details.

 

https://www.reddit.com/r/techsupport/comments/zaqigb/is_this_a_maleware/

The interesting part is most of its binaries are Microsoft signed. It also appears the payload is embedded within conhost.exe. Based on what was recently posted in this thread, it appears cmd.exe was started or conhost.exe standalone; most likely in suspended mode, then process hollowing and/or command line modification was done on conhost.exe, and conhost.exe was started.

Perhaps its time Eset start setting deep behavior inspection hooks into conhost.exe as it does for cmd.exe.

Edited October 3 by itman

[itman 1,629]

Another important detail from the Reddit article I forgot to post. It is conhost.exe that is performing the remote communication;

Quote

Another thing that made me suspect is that it periodically opens and close a TCP connection with some server that appears located in Ukraine.

 

Makes sense since conhost is what contains the malware code. So I will add an Eset firewall rule to block conhost.exe communication.

Edited October 3 by itman

[murko 0]

8 minutes ago, itman said:

Another important detail from the Reddit article I forgot to post. It is conhost.exe that is performing the remote communication;

Makes sense since conhost is what contains the malware code. So I will add an Eset firewall rule to block conhost.exe communication.

Nice summary. As a preventive measure, its good to block that conhost.exe, but it doesnt solve the root of the issue - where does it came from/what causes exactly/how to detect it beforehand imho.

[itman 1,629]

36 minutes ago, murko said:

Nice summary. As a preventive measure, its good to block that conhost.exe, but it doesnt solve the root of the issue - where does it came from/what causes exactly/how to detect it beforehand imho.

This puppy has been flying under the radar for some time. The Reddit article is 10 months old.

Out of curiosity, check Win add/remove programs and see if there is an entry for WindowsMalwareProtection or MicrosoftMalwareProtection

[murko 0]

2 minutes ago, itman said:

This puppy has been flying under the radar for some time. The Reddit article is 10 months old.

Out of curiosity, check Win add/remove programs and see if there is an entry for WindowsMalwareProtection or MicrosoftMalwareProtection

Already checked, nothin there. Also scanned all drives for such files/folders, nothing except the mentioned before.