Win32/Coin.Miner [Threat Name] go to Threat

Win32/Coin.Miner.AFR [Threat Variant Name]

Category trojan
Size 1443332 B
Detection created Apr 28, 2017
Detection database version 15329
Aliases Trojan:Win32/CoinMiner.AZ!bit (Microsoft)
  BackDoor.Spy.422 (Dr.Web)
  Troj/Miner-BU (Sophos)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan can use the hardware resources of the infected computer for mining the Monero digital currency. The file is run-time compressed using VMProtect .

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­Fonts\­sppsrv.exe

It downloads the other part of the infiltration.


The trojan may create the following files:

  • %windir%\­Fonts\­history.txt
  • %windir%\­Fonts\­id.txt
  • %windir%\­Fonts\­LMS.exe (Win32/CoinMiner.AGI, Win64/CoinMiner.BR)

The trojan registers itself as a system service using the following name:

  • Microsoft .NET Framework NGEN v4.0.30339

This causes the trojan to be executed on every system start.

Information stealing

The following information is collected:

  • external IP address of the network device
  • installed antivirus software
  • memory status
  • CPU information
  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (5) URLs. The HTTPS protocol is used in the communication.


It may perform the following actions:

  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • run executable files

The following programs are terminated:

  • taskmgr.exe
  • procexp.exe

The trojan can use the hardware resources of the infected computer for mining the Monero digital currency.

Please enable Javascript to ensure correct displaying of this content and refresh this page.