URL/Urlik.AAR Object - pastebin - virus?

[itman 1,747]

My best guess at this point is a Win service has been created that auto runs at system startup time. I saw something similar running as;

svchost.exe cmd http:\\some Ip address with pastebin.com URL.

[Nataniell 0]

Ok so any more ideas what I can do? 

[itman 1,747]

1 hour ago, Nataniell said:

Ok so any more ideas what I can do? 

Let's wait till Eset scan completes to see if it found anything.

Edited June 22 by itman

[Nataniell 0]

eset found nothing new

[itman 1,747]

Something new today. Eset has blacklisted the pastebin.com domain used by this coinminer;

As such, you should no longer be receiving any Eset alerts when the coinminer attempts to connect to the pastebin.com domain in question. Rather the connection attempt is silently blocked by Eset HTTP filtering. This can be verified by reviewing Eset filtered web sites log. 

However, the coinminer still exists on your device.

[Nataniell 0]

Ok so I have to format disk? 

[itman 1,747]

32 minutes ago, Nataniell said:

Ok so I have to format disk? 

Wait till tomorrow to see what @Marcos can come up with. It's the weekend and Eset support personnel are not at work.

[Marcos 5,267]

Is the threat detected or pastebin url blocked whenever you reboot the machine without Procmon running?

[Nataniell 0]

Yes, if the Procmon is not running, it is within 2-3 minutes after every reboot

Edited June 24 by Nataniell

[Marcos 5,267]

What if you rename procmon.exe to proc.cmd for instance and run it under this name?

[Nataniell 0]

Renaming does not work

[itman 1,747]

50 minutes ago, Nataniell said:

Renaming does not work

Do you mean that Process Monitor would not start when named proc.cmd? If that is the case, rename it to monitor.exe and see if that works.

[Marcos 5,267]

Please provide logs from the Autoruns and Gmer tools as well.

Also to rule out a possible active rootkit being on the machine and hiding the malware, I'd recommend starting the system from a clean medium and running a disk scan, e.g. with the ESET Online scanner.

[Nataniell 0]

3 hours ago, Marcos said:

Please provide logs from the Autoruns and Gmer tools as well.

Also to rule out a possible active rootkit being on the machine and hiding the malware, I'd recommend starting the system from a clean medium and running a disk scan, e.g. with the ESET Online scanner.

What do you mean by starting system from clean medium? 

I sending logs from Autoruns and Gmer but I'm not sure if I've collected them correctly with the correct settings.

 

 

logs.rar

[itman 1,747]

@Marcos, here's an article on a coinminer with behavior similar to what is going on here: https://asec.ahnlab.com/en/40673/ . It includes pastebin.com use, etc.. It also used a .json file to deploy xmrig coinminer.

[MHRSFI 1]

I believe we can use HIPS rules to identify which file is executing the command to connect to pastebin.com Here's how you can do it:

1. Navigate to Settings > HIPS > Rules
2. Click Add
3. Enter a name for the rule
4. For the action, select Block
5. Enable the Application toggle, the Enable toggle, and the Notify user toggle
6. Set the logging severity to Warning
7. In the Source applications window, click Add and enter C:\Windows\System32\cmd.exe
8. On the next page, enable the Start new application toggle
9. Select All applications from the drop-down menu and click Finish

After this, you will be able to see in the HIPS logs which application is executing cmd.exe

Edited June 24 by MHRSFI

[Nataniell 0]

This one?  @MHRSFI

Edited June 24 by Nataniell

[MHRSFI 1]

22 minutes ago, Nataniell said:

This one?  @MHRSFI

I don't see anything wrong with the log in your picture. Could you try adding another rule similar to the previous one?

For step 5, instead of adding cmd.exe, select All applications. On the next page, enable All application operations. Then, click Add and enter C:\Windows\System32\cmd.exe

If you find these rules unhelpful, you should remove them.

[Nataniell 0]

5 minutes ago, MHRSFI said:

I don't see anything wrong with the log in your picture. Could you try adding another rule similar to the previous one?

For step 5, instead of adding cmd.exe, select All applications. On the next page, enable All application operations. Then, click Add and enter C:\Windows\System32\cmd.exe

If you find these rules unhelpful, you should remove them.

Conhost.exe is in that picture... This Conhost use CMD.exe after reboot.

Edited June 24 by Nataniell

[itman 1,747]

1 hour ago, MHRSFI said:

7. In the Source applications window, click Add and enter C:\Windows\System32\cmd.exe
8. On the next page, enable the Start new application toggle
9. Select All applications from the drop-down menu

Change the rule to the following;

1 . In the Source applications window, delete C:\Windows\System32\cmd.exe. In the top window, select "All applications."

2. In the Applications section, in the top window select "Specific applications." Then add C:\Windows\System32\cmd.exe and C:\Windows\SysWOW64\cmd.exe.

This will show what is running cmd.exe. I suspect it will show svchost.exe which really tell us nothing since we need to know what service is being used.

Post a screen shot of the Eset alert. I believe that might show the service being used.

Edited June 24 by itman

[Nataniell 0]

What now? 

[itman 1,747]

5 minutes ago, Nataniell said:

What now? 

Something is wrong with your HIPS rule.

Post a screen shot of Source applications and Applications sections.

[Nataniell 0]

First source apps

then appliocations

[itman 1,747]

2 minutes ago, Nataniell said:

First source apps

Does the shown wording translate to All Applications?

[Nataniell 0]

• yes - všechny aplikace = all aplications