PUA.Win64.TOOLXMR.HF
HEUR:RiskTool.Win32.CryptoMiner.gen (KASPERSKY)
Windows

Threat Type: Potentially Unwanted Application
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Dropped by other malware, Downloaded from the Internet
This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It does not have any propagation routine.
It does not have any backdoor routine.
It does not have any information-stealing capability.
TECHNICAL DETAILS
27,228,414 bytes
EXE
Yes
23 Oct 2020
Drops files
Arrival Details
This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Potentially Unwanted Application adds the following folders:
- %ProgramData%\bitmonero
(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)
It drops the following files:
- %ProgramData%\bitmonero\bitmonero.log
- %ProgramData%\bitmonero\lmdb\data.mdb
- %ProgramData%\bitmonero\lmdb\lock.mdb
(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)
Autostart Technique
This Potentially Unwanted Application starts the following services:
- Service name: Monero Daemon (executes {Malware file path and name} --install-service --run-as-service)
Propagation
This Potentially Unwanted Application does not have any propagation routine.
Backdoor Routine
This Potentially Unwanted Application does not have any backdoor routine.
Rootkit Capabilities
This Potentially Unwanted Application does not have rootkit capabilities.
Information Theft
This Potentially Unwanted Application does not have any information-stealing capability.
Other Details
This Potentially Unwanted Application accepts the following parameters:
- --help - Produce help message
- --version - Output version information
- --os-version - OS for which this executable was compiled
- --config-file - Specify configuration file
- --install-service - Install Windows service
- --uninstall-service - Uninstall Windows service
- --start-service - Start Windows service
- --stop-service - Stop Windows service
- --log-file - Specify log file
- --max-log-file-size - Specify maximum log file size [B]
- --max-log-files - Specify maximum number of rotated log files to be saved (no limit by setting to 0)
- --max-concurrency - Max number of threads to use for a parallel job
- --public-node - Allow other users to use the node as a remote (restricted RPC mode, view-only commands) and advertise it over P2P
- --zmq-rpc-bind-ip - IP for ZMQ RPC server to listen on
- --zmq-rpc-bind-port - Port for ZMQ RPC server to listen on
- --no-zmq - Disable ZMQ RPC server
- --data-dir - Specify data directory
- --test-drop-download - Discard all blocks instead checking/saving them
- --testnet - Run on testnet
- --stagenet - Run on stagenet
- --regtest - Run in a regression testing mode.
- --fixed-difficulty - Fixed difficulty used for testing.
- --enforce-dns-checkpointing - Checkpoints from DNS server will be enforced
- --prep-blocks-threads - Max number of threads to use when preparing block hashes in groups.
- --fast-block-sync - Sync up most of the way by using embedded, known block hashes.
- --show-time-stats - Show time-stats when processing blocks/txs and disk synchronization.
- --block-sync-size - How many blocks to sync at once during chain synchronization (0 = adaptive).
- --check-updates - Check for new versions of monero: [disabled|notify|download|update]
- --fluffy-blocks - Relay blocks as fluffy blocks (obsolete, now default)
- --no-fluffy-blocks - Relay blocks as normal blocks
- --test-dbg-lock-sleep arg (=0) - Sleep time in ms, defaults to 0 (off), used to debug before/after locking mutex. Values 100 to 1000 are good for tests.
- --offline - Do not listen for peers, nor connect to any
- --disable-dns-checkpoints - Do not retrieve checkpoints from DNS
- --block-download-max-size - Set maximum size of block download queue in bytes (0 for default)
- --sync-pruned-blocks - Allow syncing from nodes with only pruned blocks
- --max-txpool-weight - Set maximum txpool weight in bytes.
- --pad-transactions - Pad relayed transactions to help defend against traffic volume analysis
- --block-notify - Run a program for each new block
- --prune-blockchain - Prune blockchain
- --reorg-notify - Run a program for each reorg
- --block-rate-notify - Run a program when the block rateundergoes large fluctuations
- --keep-alt-blocks - Keep alternative blocks on restart
- --extra-messages-file - Specify file for extra messages to include into coinbase transactions
- --start-mining - Specify wallet address to mining for
- --mining-threads - Specify mining threads count
- --bg-mining-enable - Enable background mining
- --bg-mining-ignore-battery - If true, assumes plugged in when unable to query system power status
- --bg-mining-min-idle-interval - Specify min lookback interval in seconds for determining idle state
- --bg-mining-idle-threshold - Specify minimum avg idle percentage over lookback interval
- --bg-mining-miner-target - Specify maximum percentage cpu use by miner(s)
- --db-sync-mode - Specify sync option, using format [safe|fast|fastest]:[sync|async]:[
[blocks]| [bytes]]. - --db-salvage - Try to salvage a blockchain database if it seems corrupted
- --p2p-bind-ip - Interface for p2p network protocol (IPv4)
- --p2p-bind-ipv6-address - Interface for p2p network protocol (IPv6)
- --p2p-bind-port - Port for p2p network protocol (IPv4)
- --p2p-bind-port-ipv6 - Port for p2p network protocol (IPv6)
- --p2p-use-ipv6 - Enable IPv6 for p2p
- --p2p-ignore-ipv4 - Ignore unsuccessful IPv4 bind for p2p
- --p2p-external-port - External port for p2p network protocol (if port forwarding used with NAT)
- --allow-local-ip - Allow local ip add to peer list, mostly in debug purposes
- --add-peer - Manually add peer to local peerlist
- --add-priority-node - Specify list of peers to connect to and attempt to keep the connection open
- --add-exclusive-node - Specify list of peers to connect to only. If this option is given the options add-priority-node and seed-node are ignored
- --seed-node - Connect to a node to retrieve peer addresses, and disconnect
- --tx-proxy - Send local txes through proxy
- --hide-my-port - Do not announce yourself as peerlist candidate
- --no-sync - Don't synchronize the blockchain with other peers
- --no-igd - Disable UPnP port mapping
- --igd - UPnP port mapping (disabled, enabled, delayed)
- --out-peers - Set max number of out peers
- --in-peers - Set max number of in peers
- --tos-flag - Set TOS flag
- --limit-rate-up - Set limit-rate-up [kB/s]
- --limit-rate-down - Set limit-rate-down [kB/s]
- --limit-rate - Set limit-rate [kB/s]
- --rpc-bind-port - Port for RPC server
- --rpc-restricted-bind-port - Port for restricted RPC server
- --restricted-rpc - Restrict RPC to view only commands and do not return privacy sensitive data in RPC calls
- --bootstrap-daemon-address - URL of a 'bootstrap' remote daemon that the connected wallets can use while this daemon is still not fully synced. Use 'auto' to enable automatic public nodes discovering and bootstrap daemon switching
- --bootstrap-daemon-login - Specify username:password for the bootstrap daemon login
- --rpc-bind-ip - Specify IP to bind RPC server
- --rpc-bind-ipv6-address - Specify IPv6 address to bind RPC server
- --rpc-use-ipv6 - Allow IPv6 for RPC
- --rpc-ignore-ipv4 - Ignore unsuccessful IPv4 bind for RPC
- --rpc-login - Specify username[:password] required for RPC server
- --confirm-external-bind - Confirm rpc-bind-ip value is NOT a loopback (local) IP
- --rpc-access-control-origins - Specify a comma separated list of origins to allow cross origin resource sharing
- --rpc-ssl - Enable SSL on RPC connections: enabled|disabled|autodetect
- --rpc-ssl-private-key - Path to a PEM format private key
- --rpc-ssl-certificate - Path to a PEM format certificate
- --rpc-ssl-ca-certificates - Path to file containing concatenated PEM format certificate(s) to replace system CA(s).
- --rpc-ssl-allowed-fingerprints - List of certificate fingerprints to allow
- --rpc-ssl-allow-chained - Allow user (via --rpc-ssl-certificates) chain certificates
- --rpc-ssl-allow-any-cert - Allow any peer certificate
- --rpc-payment-address - Restrict RPC to clients sending micropayment to this address
- --rpc-payment-difficulty - Restrict RPC to clients sending micropayment at this difficulty
- --rpc-payment-credits - Restrict RPC to clients sending micropayment, yields that many credits per payment
It does not exploit any vulnerability.
SOLUTION
9.800
2.348.00
29 Oct 2020
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Restart in Safe Mode
Step 4
Disable this malware service
- Monero Daemon
Step 5
Search and delete this file
- %ProgramData%\bitmonero\bitmonero.log
- %ProgramData%\bitmonero\lmdb\data.mdb
- %ProgramData%\bitmonero\lmdb\lock.mdb
Step 6
Search and delete this folder
- %ProgramData%\bitmonero
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as PUA.Win64.TOOLXMR.HF. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.