The service team with mobsync.dll/evntagnt.dll restores and restarts the miner

[safety 8]

Dear Colleagues!

Is it possible to decrypt a *.dat file paired with mobsync.dll/evntagnt.dll?
Presumably this file may contain a config for the task, 
with the help of which the miner is launched from a folder with an arbitrary name

For example:
RescueSwift-fc4b811c-e35f-4a8d-a903-db85344b9d7f
PicturePerfect-d2f4adbc-5e35-42fd-bfe5-bbdf187ada08
ExpressEditor-22b9dab3-7036-45b3-9fda-b264e8491726
BoltDownloader-e1648eb4-dcd2-4e6d-b19a-7fc96278e3b5
and others.

The miner launch chain looks like this: 

(filmed via Universal Virus Sniffer)

Полное имя C:\WINDOWS\SYSWOW64\SVCHOST.EXE
Имя файла SVCHOST.EXE
Тек. статус АКТИВНЫЙ ПРОВЕРЕННЫЙ сервис в автозапуске Фильтр

Удовлетворяет критериям
THREADS IN PROCESSES (ПРЕДУПРЕЖДЕНИЕ ~ ОБНАРУЖЕН ВНЕДРЕННЫЙ ПОТОК В ПРОЦЕССЕ)(1) [filtered (0)]

Сохраненная информация на момент создания образа
Статус АКТИВНЫЙ ПРОВЕРЕННЫЙ сервис в автозапуске
Процесс 32-х битный
File_Id 768582FAD000
Linker 14.20
Размер 46544 байт
Создан 27.11.2023 в 13:19:16
Изменен 27.11.2023 в 13:19:16

TimeStamp 04.01.2033 в 14:21:46
EntryPoint +
OS Version 10.0
Subsystem Windows graphical user interface (GUI) subsystem
IMAGE_FILE_DLL -
IMAGE_FILE_EXECUTABLE_IMAGE +
Тип файла 32-х битный ИСПОЛНЯЕМЫЙ
Цифр. подпись Действительна, подписано Microsoft Windows Publisher

Оригинальное имя svchost.exe.mui
Версия файла 10.0.19041.1 (WinBuild.160101.0800)
Описание Хост-процесс для служб Windows
Производитель Microsoft Corporation

Доп. информация на момент обновления списка
pid = 4092 NT AUTHORITY\СИСТЕМА
CmdLine C:\Windows\SysWOW64\svchost.exe -k DcomLaunch -s EvntAgntSvc_daa0aa
Процесс создан 13:01:43 [2023.12.03]
С момента создания 00:01:21
CPU 0,09%
CPU (1 core) 1,10%
parentid = 948 C:\WINDOWS\SYSTEM32\SERVICES.EXE
Предупреждение (!) ПРЕДУПРЕЖДЕНИЕ: Обнаружен внедренный поток в процессе C:\WINDOWS\SYSWOW64\SVCHOST.EXE [4092], tid=5376
Создание задачи \Task-b4045877-4506-4217-974f-7ca9dc3da345_Vl
pid = 4092 NT AUTHORITY\СИСТЕМА
TaskXML <?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="hxxp://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<URI>\Task-b4045877-4506-4217-974f-7ca9dc3da345_Vl</URI>
</RegistrationInfo>
<Triggers>
<RegistrationTrigger id="Trigger1">
<EndBoundary>2023-12-03T13:02:54</EndBoundary>
<Enabled>true</Enabled>
<Delay>PT25S</Delay>
</RegistrationTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-21-3326377353-2303841640-77764357-1003</UserId>
<RunLevel>HighestAvailable</RunLevel>
<LogonType>InteractiveToken</LogonType>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a\TileDataNetwork.exe</Command>
<Arguments>--create --algo 144_5 --pers BgoldPoW -i 99 --server 185.180.230.136:8080 --user ARRLXmqTUQrpjcN7P7xnnx1K1gfHQbCTiJ.Zephyr -w 0</Arguments>
</Exec>
</Actions>
</Task>
Время 13:01:49 [2023.12.03]
parentid = 948 C:\WINDOWS\SYSTEM32\SERVICES.EXE
SHA1 53C010F3CC328D4764359DA02D209750E4616BB4
MD5 BBFF42F3C7E8FC0E3049F6F88FBB88E2

Ссылки на объект
Ссылка HKLM\System\CurrentControlSet\Services\EvntAgntSvc_daa0aa\ImagePath
ImagePath %SystemRoot%\SysWOW64\svchost.exe -k DcomLaunch
DisplayName EvntAgnt_999b80
Description Event Translator SNMP subagent
EvntAgntSvc_daa0aa тип запуска: Авто (2)
Изменен 27.11.2023 в 12:21:35

Образы EXE и DLL
SVCHOST.EXE C:\WINDOWS\SYSWOW64

Загруженные DLL НЕИЗВЕСТНЫЕ
EVNTAGNT.DLL C:\WINDOWS\SYSWOW64

--------------------

Here is the task TaskXML <?xml version="1.0" encoding="UTF-16"?>

created after service starts
C:\Windows\SysWOW64\svchost.exe -k DcomLaunch -s EvntAgntSvc_daa0aa

Presumably, this is the task that is extracted from the *.dat file
After creating the task, the miner is launched from the preinstalled folder, in this case from
C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a

execution block:
<Exec>
<Command>C:\ProgramData\TileDataNetwork-ba00c230-6183-4f3e-944f-35140b43215a\TileDataNetwork.exe</Command>
<Arguments>--create --algo 144_5 --pers BgoldPoW -i 99 --server 185.180.230.136:8080 --user ARRLXmqTUQrpjcN7P7xnnx1K1gfHQbCTiJ.Zephyr -w 0</Arguments>
</Exec>

There are three different pairs in the archives, collected from different cases.
archive password - "infected" (without quotes)

 

Samples.rar

[Marcos 5,085]

This forum is not intended for reporting suspicious samples. Please submit them as per the instructions at https://support.eset.com/en/kb141 and include information why you think they are malicious. I've scanned one of the dlls and it has zero detections at VirusTotal:

https://www.virustotal.com/gui/file/4b8c5f3064f6e084ed1563886b1aa3f3898b1bf51718ab3913967ccfbf6c7c00?nocache=1

[safety 8]

Dear Marcos,

The fact of the matter is that nothing is detected. However, through this service, a malicious thread is injected into syswow64\svchost.exe and the folder with the miner is restored. If it was deleted, restoration occurs with a different name. Okay, I'll send the files to Virlab.