What malware resides here? Avast detects Win32:Malware-gen!

Viruses and worms
1

Mining detected?

Flagged: https://urlquery.net/report/208888a4-da0a-4b35-8ce9-09c4264bb3c1
See: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Ll58bl1uZlt9ey5eXW1gXmZue3dgYG1dI3Vse3MucGhwYFtuI3t4LnBocA%3D%3D~enc
while website has outdated PHP: https://sitecheck.sucuri.net/results/www.canonfire.com/cf/index.php

On IP: https://tracker.fumik0.com/search=188.120.224.18

Many detect: https://www.virustotal.com/#/url/1f565a49a43577c255fb12fa7df842dbb0c46023d1d6587d1fac742ad36b5069/detection
and avast detects as: Win32:Malware-gen

polonus

2

Real interesting background read on Haruko’s detection:
-https://tracker.fumik0.com/learning

Disclaimer: Examples of commands used by Attackers For DFIR / CERT / SOC Analysts, this is a good start for signatures and learning some stuff Disclamer : This is real cases of commands. (good or malicious) I am not responsible for your acts
([i]for educational purposes only by ethical security researchers[/i]). As there are other tools, like: -https://manalyzer.org/report/fdc1a95188cf00160a05ea4a1d50e84c (security researchers can revive the link ;) from: -https://tracker.fumik0.com/links

polonus

3
What malware resides here?
Coinminer

https://www.virustotal.com/#/file/f6a335b317073b793529f994c85e5db770228d3a4131ea9e29e0deae3cfc40d5/detection

4

Is this obfuscated miner detected and being blocked?
-https://authedmine.com/lib/authedmine.min.js
Given as a low-security risk for this optional miner: https://sitecheck.sucuri.net/results/https/authedmine.com/lib/authedmine.min.js
See: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=fHV0aHsjbVtuey5eXW1gbFtiYHx1dGh7I21bbnsubVtuLmpz~enc

polonus

5
Is this obfuscated miner detected and being blocked?
URL blacklist check > [b]authedmine.com/lib/authedmine.min.js[/b] https://www.virustotal.com/#/url/36e027fbb6d7d5b685c06155fd09bb566144a5fee8f1639127509ca43f635135/detection

File scan > authedmine.com/lib/authedmine.min.js
https://www.virustotal.com/#/file/041c727ed0160536c361715b1e9ee7eafc7fe5838f0a4722e6ed01941f7d6ede/detection

Domaine blacklist check > authedmine.com/
https://www.virustotal.com/#/url/b6b6242a9507fcfaa11c49790e2bcb4334c03b086c87876dfd045cf02094148c/detection

File scan > output.114021424.txt
https://www.virustotal.com/#/file/b2a81b90c589408775a0622d3f5458a3f9d25011fc12e883699178ec2cb37b77/detection

6

Thank you, Pondus, that is overtly clear then.

Miners optional or not, are all frowned upon, and all are being alerted too.
Let there be no doubt about it that AV does not like mining code.

polonus