SecurityHome.eu Trojan:Win64/CoinMiner

Home / malware PDF

Trojan:Win64/CoinMiner

First posted on 14 August 2018.
Source: Microsoft
Aliases :
There are no other names known for Trojan:Win64/CoinMiner.
Explanation :
This threat is a 64-bit executable that has been observed going by the name:

xbox-service.exe

Installation

It registers itself as a Windows service by creating an entry in this registry key:

HKLM\System\CurrentControlSet\Services\Windows Driver Service

It creates a copy of itself as:

C:\Windows\System32\xbox-service.exe

The dropped copy creates this 1.5 MB 64-bit DLL:

dll.dll (file name)

1d596d441e5046c87f2797e47aaa1b6e1ac0eabb63e119f7ffb32695c20c952b (SHA-256)

Payload

The DLL file contains configuration information that determines how this threat mines Monero (XMR) coins. It connects to the following:

Pool address: monerohash.com:80

Wallet: 4AMwzz1TtGgdyouAzZH1HRRkQiT4eDzGLcQjLgSWbZMA6Zhs2e8fALTfm5osmGNragMTv5VFyTCsuc3WZECg3hEyD6sL9py

The DLL file also includes these CPU usage instructions:

"low_power_mode" : false

"use_slow_memory" : "warn",

"Nicehash_nonce" : false,

"aes_override" : null

The analysis provided here is based on the following sample:

fcf64fc09fae0b0e1c01945176fce222be216844ede0e477b4053c9456ff023e (SHA-256)
Last update 14 August 2018

TOP

Malware :

Last 20