W32/CoinMiner.ASH!tr
Analysis
W32/CoinMiner.ASH!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/CoinMiner.ASH!tr may have varying behaviour.
Below are examples of some of these behaviours:
- This malware may drop any of the following file(s):
- %Temp%\KAV2.dll : During the time of our tests, this file was a 0 byte file.
- %Temp%\license.key : This file is non-malicious.
- %AppData%\[Random]\Pablo_v2_JUNZRD.exe : This file is detected as Adware/FileTour.
- %AppData%\[Random]\winhost.exe : This file is detected as W32/CoinMiner.ASH!tr.
- %AppData%\Microsoft\Windows\winhost.exe: This file is detected as W32/CoinMiner.ASH!tr.
- This malware may connect to any of the following remote sites(s):
- tuomine{Removed}.ru
- hxxp://tuomine{Removed}.ru/archive.zip
- This malware may issue a command line that may have any of the following effects:
- issue a parameter for the dropped file Pablo_v2_JUNZRD using /SL5=.
- scheduled task under the name System\SecurityService causing to run winhost.exe daily.
- Based on these behaviours this malware has been thought to be part of bitcoin mining.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2019-11-26 | 73.35800 | Sig Updated |
2019-10-24 | 72.57200 | Sig Updated |
2019-10-18 | 72.42500 | Sig Updated |
2019-09-25 | 71.87600 | Sig Added |
2019-09-11 | 71.54100 | Sig Added |
2019-09-06 | 71.41700 | Sig Added |
2019-08-12 | 70.67400 | Sig Added |
2019-07-22 | 70.17700 | Sig Added |
2019-07-03 | 69.71700 | Sig Added |
2019-07-02 | 69.69300 | Sig Added |