Home / malware Trojan:Win32/CoinMiner.CZ
First posted on 23 March 2019.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/CoinMiner.CZ.
Explanation :
TrojanDownloader:Win32/Esendi.A drops this coin miner into the %TEMP% folder as a DLL file with the name setup_x86.tmp. To run installation routines in the dropped DLL, Esendi runs the system file regsvr32.exe using the following command line:
regsvr32.exe /n /s "%TEMP%setup_x86.tmp" /i:"/cp"
Once running, this coin miner creates a copy of itself in the %LOCALAPPDATA% folder using a random CLSID GUID as the file name. It sometimes adds a .dll extension to the file name, for example:
%LOCALAPPDATA%1937E0A0-CAF2-49CD-21E1-3F675EAAEE42C228FC61-1CA0-69C9-C11C-1FDB52D60420.dll
For persistence, it creates a scheduled task so that the copy automatically starts Windows. The scheduled task runs the dropped copy using parameters that trigger coin mining and other routines:
regsvr32.exe /n /s /i:"//q" " "
Coin mining payload
This coin miner is a trojanized version of the XMRig coin mining application. The following strings in its code indicate that it is based on this open source, CPU-based Monero (XMR) miner:
.nicehash.com .minergate.com
We have observed this coin miner connect to the following pool servers while mining cryptocurrencies:
aloneliste.info canalysef.info defeaiset.info deparage.info familtony.info floatiad.info genergyc.info haractual.info housandry.info ibusinese.info magnificy.info marialen.info marlese.info mcmasted.info methosef.info millared.info nervationf.info pleastersa.info pointment.info protefuo.info relateriat.info respeciale.info runcichly.info singerials.info slicentral.info spendenta.info spreamu.info sweethod.info unspective.info vicarafael.info votione.info whereason.info
Last update 23 March 2019
