Jump to content

Undetected XMRig Coinminer

Recommended Posts

Sample is here: https://bazaar.abuse.ch/sample/9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be/.

VT detection rate is 61/74: https://www.virustotal.com/gui/file/9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be

Upon sample archive extraction, file was sent to LiveGuard w/no file locking at all occuring.

Link to comment
Share on other sites

It is from 2020 yet not detected by ESET? Very strange if the sample is not broken somehow which is unlikely based on the behavior on VT. 

Edited by SeriousHoax
Link to comment
Share on other sites

  • Administrators

The archive contains NSSM potentially unsafe application which is detected. Besides that there is also an old file svchost.exe from 2018 which is detected by a few AVs but it's probably not malicious per se but loads a batch script from the Sqlite database OnTimer.db. The script download payload from a dead url which used to serve Win64/CoinMiner.OF potentially unwanted application in the past (detected since 2019). I've sent svchost.exe to the viruslab to find out if it's subject to detection or not.

Link to comment
Share on other sites

Posted (edited)
4 hours ago, Marcos said:

The archive contains NSSM potentially unsafe application which is detected.

Is this only upon execution of the sample .exe? It was not detected upon file creation;


Ditto for LiveGuard analysis. Does LiveGuard ignore Eset PUA detections?


Time;Hash;File;Size;Category;Reason;Sent to;User
6/29/2024 5:24:06 PM;A268031D2E74F058CBB2AD984E4A5556F59CFCF8;C:\Users\18436\Downloads\9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be.exe;1070725;Executable;Automatic;ESET LiveGuard;xxxxxxxxxxx

-EDIT- I downloaded the sample again. Now Eset detects upon archive extraction;


Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
6/30/2024 12:13:36 PM;Real-time file system protection;file;C:\Users\xxxxxx\Downloads\9aaf2a66b2754921fe133385136dc6fbe7bc730d5302a002103980bdfc13a1be.exe;multiple detections;deleted;xxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (755AF3328261B37426BC495C6C64BBA0C18870B2).;A268031D2E74F058CBB2AD984E4A5556F59CFCF8;


Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...