VirusW32/CoinMiner.TY!tr
Analysis
W32/CoinMiner.TY!tr is a generic detection for a trojan associated with Bitcoin mining.
Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may connect to the following site(s) and may download the file wall.get.xml:
- hxxp://api.{Removed}.com/method/wall.get.xml
- 1.{Removed}.z8.ru
- This malware creates the following mutex
- SamaelLovesMe
- This malware creates the following processes
- ActivateDesktop.exe
- registry_tool.exe -autorun C:\.Trash-100\ActivateDesktop.exe
- This malware may also try to open the following files
- framework_exe
- miner_exe_name
- 2ee31f9a6a0720f7074b05e7b0f3d9c2792c4c707f0af30e5896331c531f1720
- ActivateDesktop.exe
- registry_tool.exe
- registry_tool.exe -autorun
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2020-10-13 | 81.06700 | Sig Updated |
| 2020-08-18 | 79.72600 | Sig Updated |
| 2020-05-26 | 77.70500 | Sig Updated |
| 2020-03-07 | 75.78600 | Sig Updated |
| 2019-12-10 | 73.69300 | Sig Updated |
| 2019-11-12 | 73.02100 | Sig Updated |
| 2019-10-15 | 72.34800 | Sig Updated |
| 2019-10-12 | 72.27600 | Sig Updated |
| 2019-10-11 | 72.24600 | Sig Updated |
| 2019-10-08 | 72.18000 | Sig Updated |