URL/Urlik.AAR Object - pastebin - virus?

[Nataniell 0]

"Hello, I need help with detection. Eset regularly blocks this web address several times a day even when I'm not doing anything on the PC. This means something is running in the background. I've run several scans and found nothing."

"HTTP filter; file; https://pastebin.com/raw/GirGW7HW; URL/Urlik.AAR Object; connection interrupted; NT AUTHORITY\SYSTEM; This event occurred when trying to access the web by the application: C:\Windows\System32\cmd.exe (7140CAF2A73676D1F7CD5E8529DB861F4704C939); 67F7C5BB2071A4533299569C687A1CB8D5D03BAF;"

[Marcos 5,267]

Please provide logs collected with ESET Log Collector.

[Nataniell 0]

here

eis_logs.zip

[Marcos 5,267]

According to the content downloaded from pastebin, it looks like a Coinminer attempted to download a configuration json file which was blocked. However, the detection occurred only once on 15. 6. 2024 at 22:36 and the logs do not show anything suspicious which is in contrast with your statement that the address was blocked several times a day. Please clarify.

[Nataniell 0]

because I accidentally deleted the entire web protocol instead of one line, so the connections are not visible there, but I can collect again. the block pops up after every restart and login to win

[Marcos 5,267]

Please provide also a Procmon boot log. After a reboot, stop logging only after the detection has occurred and then collect also fresh ELC logs.

[itman 1,746]

Cmd.exe shouldn't be establishing an Internet connection. Probably, some script running it at system startup time.

If you create a HIPS ask rule to monitor cmd.exe startup, this will show what is running it. My suspicion is Win task scheduler service or, the script is started via registry run key.

[Nataniell 0]

When I started the process monitor, the warning did not appear yet. It popped up once before I started the monitor process. I am posting it in this log. ABout HIPS.... I am not pro user, so I dont know how to setup ask rule.

eis_logs.zip

[itman 1,746]

I will add that coinminer's have code to monitor for attempted surveillance attempts. It might have just shut down when it saw Process Monitor running.

[itman 1,746]

Another point to note is you should avoid pastebin.com. It's loaded with malware: https://www.fortinet.com/blog/threat-research/malicious-use-of-pastebin

[Nataniell 0]

Okay, and if he can't detect it through the monitor, is there any chance to find and destroy the source?

[itman 1,746]

Per VirtusTotal: https://www.virustotal.com/gui/url/73af357fc3e66e32a335e0ba9450945b4ef46a2d59ff806ee23e6caec07c2831/detection , this might be related to Sysrv-hello crypto-jacking botnet activity. Analysis of it is here: https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet . If this is the case, the coinminer is an undetected variant of xmrig.

On the other hand, a related Eset detection earlier this year turned out to be a false positive: https://forum.eset.com/topic/39655-urlurlikaad-false-positive/

A posting 5 months ago directly related to this Eset detection including cmd.exe source process connecting to pastebin.com is on Reddit here: https://www.reddit.com/r/cybersecurity_help/comments/1ad2ad6/my_workstation_has_installed_cryptomining_malware/ . Problem is no resolution to the issue was posted.

Edited June 21 by itman

[Marcos 5,267]

6 hours ago, Nataniell said:

When I started the process monitor, the warning did not appear yet. It popped up once before I started the monitor process. I am posting it in this log. ABout HIPS.... I am not pro user, so I dont know how to setup ask rule.

A Procmon boot log was not provided. First launch Procmon, then enable the option to create a boot log and reboot the machine. After a reboot wait a bit until the detection occurs, then stop logging and save the log unfiltered in the PML format. Compress the PML log and supply it along with fresh ELC logs for perusal.

[Nataniell 0]

6 hours ago, Marcos said:

A Procmon boot log was not provided. First launch Procmon, then enable the option to create a boot log and reboot the machine. After a reboot wait a bit until the detection occurs, then stop logging and save the log unfiltered in the PML format. Compress the PML log and supply it along with fresh ESET Log Collector logs for perusal.

I am trying to explain that as soon as I turned on Procmon, the detection did not show up since then

[itman 1,746]

13 hours ago, Marcos said:

A Procmon boot log was not provided. First launch Procmon, then enable the option to create a boot log and reboot the machine. After a reboot wait a bit until the detection occurs, then stop logging and save the log unfiltered in the PML format. Compress the PML log and supply it along with fresh ELC logs for perusal.

My opinion here is whatever is starting/monitoring the coinminer detects Procmon is running and won't start the coinminer. Perhaps SysInternals Autoruns is a better diagnostic choice . Also, doesn't Eset SysInpector detect Win startup tasks?

[Marcos 5,267]

3 hours ago, itman said:

Also, doesn't Eset SysInpector detect Win startup tasks?

There's nothing suspicious in autostart locations. However, I'd recommend removing MBAM and enabling detection of potentially unsafe applications:

 

On 6/21/2024 at 7:28 PM, Nataniell said:

When I started the process monitor, the warning did not appear yet.

Just to make sure, did you enable boot logging in Procmon, then rebooted the machine and waited for the detection to occur?

[itman 1,746]

An example of a coinminer that detects monitoring processes and terminates itself;

Quote

While running, the miner will constantly poll the list of running of processes. If it detects processes running for Process Explorer, Task Manager, Process Monitor, Process Hacker, AnVir Task Manager, PlayerUnknown's Battlegrounds (PUBG), Counterstrike: Global Offensive, Rainbox Six, or Dota 2, it will terminate the attrib.exe and Iostream.exe processes.

https://www.bleepingcomputer.com/news/security/cryptocurrency-miner-plays-hide-and-seek-with-popular-games-and-tools/

[Nataniell 0]

36 minutes ago, Marcos said:

There's nothing suspicious in autostart locations. However, I'd recommend removing MBAM and enabling detection of potentially unsafe applications:

 

Just to make sure, did you enable boot logging in Procmon, then rebooted the machine and waited for the detection to occur?

I did. Today I waited whole day after reboot and no detection. I try one day without procmon enabled.

[itman 1,746]

38 minutes ago, Marcos said:

enabling detection of potentially unsafe applications:

Oh, my. Most definitely this needs to be done since Eset detects XMrig as a PUA;

[Nataniell 0]

You mean this?? I turn on agrresive? 

[itman 1,746]

10 minutes ago, Nataniell said:

You mean this?? I turn on agrresive? 

Yes. Have you uninstalled MBAM?

[Nataniell 0]

yes

[itman 1,746]

Reboot and immediately start an Eset scan.

Edited June 22 by itman

[Nataniell 0]

That's clear. I uninstalled MBAM, restarted the PC, and the detection appeared. Of course, I didn't have the monitor with the boot log turned on. I tried turning the monitor back on and restarting, and the detection didn't show up. So, the boot log recognizes it and avoids it.  Now I am scaning with eset again.

[Nataniell 0]

eis_logs.zipLog from last scan.I don't see any changes, but you can see there more detections.