.

[freakovision]

Miner doesn't work when try to run it on RAT-infected computers. I use AsyncRAT by NyanCat. When I tried do drop it on disk and run through reverse shell it said "MpPreference not found" or something like that, it was a long ass error, can't tell exactly rn. I tried miner with and without admin privilege, RAT had admin privilege, all computers had Windows 10 64 bit on it.

P.S. It works on my PC tho.

[freakovision]

Aight, I managed to run it without admin privilege, but can't confirm if it's working. For some reason Process Manager doesn't show conhost.exe in which I inject miner even tho sihost64.exe is running.

[UnamSanctam]

Hmm, since sihost64.exe is running then it should be working, can't you see any conhost.exe at all? Also, you can execute files through the file browser thing, you don't need to use a reverse shell.

[freakovision]

Yeah I know. Just wanted to see if there is any errors.

[freakovision]

Could you please test my build on Win10 virtual machine? I just can't use any VM with my low specs. https://dropmefiles.com/3RRvl Password is admin.

[UnamSanctam]

Yes it works for me, are you using an older version of the builder?

[freakovision]

Weird! I'm using the last version. That Add-MpPreference error was only on one of the slaves. The others just refused to work after the first phase. I mean the executable works for like 30 seconds that I used as delay and never drops a payload in system32 or a fallback location.

[UnamSanctam]

It doesn't drop services64.exe into System32? Yours does for me.

[freakovision]

Same for me but not for slaves. Probably a RAT issue?

[UnamSanctam]

Might be.

[freakovision]

What is the most optimal CPU load?

[UnamSanctam]

20-40% Max CPU for the maximum amount of stealth and 60-80% Idle CPU is good. I have it set to 20% Max CPU and 80% Idle CPU as default because it's the most stealthily.

[freakovision]

I have a few suggestions. Add fake error and most important ability to start the miner in the next session so it don't start to rape the fans instantly.

[UnamSanctam]

Well, you could add one line in the code to add a fake error in Loader.cs (though you'd probably have to check if it's in the install location or not, could possibly add detections). 20% Max CPU shouldn't even make the fans move so that shouldn't be a problem.

[freakovision]

I target not the best computers, they have like 3-4 logical processors on average, so the load is always 25-33% which is pretty noticeable and suspicious especially in summer. And yeah, I already added fake error in loader. Just wanted to see it in your release :)

[freakovision]

Aren't you afraid to host online download links on your site? You can be charged for being involved in malware activity.

[UnamSanctam]

Well, I only host the URLs which leads to GitHub and nothing more, if I hypothetically would get charged for anything then would it not be for the miner you're currently writing in an issue on?

[freakovision]

I don't think cops is that stupid. Btw have you heard of icanhazip.com owner? He almost got in prison because his site was used in malware activity even tho it's only shows external IP.

[UnamSanctam]

Well, you are correct, though I don't really "own" any of it, neither the domain nor the server.

[freakovision]

I don't really "own" any of it

I hope the police will have the same opinion :P

[UnamSanctam]

True the police does ignore the law a lot, especially here.

[freakovision]

Can I add prefix to random worker name? Like this: walletadress.Boobs_{%RANDOM%}

[UnamSanctam]

Yes that will work fine.

[freakovision]

Also it would be great to have an IP logger in it. So we can know the ration of downloads/runs. Will this line of code increase the detections?

[UnamSanctam]

It could increase detections, it's better to add that yourself since I don't really want to support any special kind of external service, you could theoretically use an IPLogger redirect to the config for the 'Remote Configuration' so it logs the computer before getting the 'Remote Configuration'.

[freakovision]

Miner stops working after some time. Most likely after donation. I can see sihost64 on several computers and there is no task manager or similar apps open, but no shares submitted to nanopool.

[UnamSanctam]

I haven't really changed anything much with the donation from the original XMRig so if that one works then this one will work as well. Are you using {%COMPUTERNAME%} to check? Since nanopool has a very high share difficulty (400 000) it can take between 5-30 minutes per share to be submitted depending on the CPU and the Max CPU percentage.

[freakovision]

It was like 4 hour, no shares from any running PC.

[UnamSanctam]

None at all? Try another pool then, I have a miner running 24/7 and have had it running for 2 years now (I update it with each release) and it's still working.

[freakovision]

It loads the CPU on all computers but I don't get any shares. Why?

[UnamSanctam]

Try another pool if you use 'Remote Configuration', I can't know why you're not getting shares, it shouldn't have anything to do with the miner at least.

[freakovision]

The injected miner just keeps closing and staring again. What could be wrong?

[UnamSanctam]

The XMR miner? The explorer.exe opens and closes? Only reason that could happen is if the connection settings are wrong or if they can't connect I guess though I have never seen that happen before.

[freakovision]

Now the memory usage fluctuate a lot. What the hell?

[UnamSanctam]

Do you use 'Remote Configuration'? Make sure that keepalive is set to false since nanopool has issues with it.

[freakovision]

It's false

[UnamSanctam]

Hmm, try setting it to another pool, only thing which could do that is if there is something wrong with the pool connection.

[freakovision]

Changed to Minergate. It mines but memory usage is still crazy. conhost.exe 14704 Console 1 2,407,860 K

Edit. Ok, it's fine. Memory usage doesn't fluctuate now.

[UnamSanctam]

2GB you mean? The RandomX algorithm (Monero) uses 2GB of RAM for the huge pages feature and is normal, without huge pages the hashrate would be really low. If you want less RAM usage then you can mine some other cryptocurrency which uses some other algorithm, you can see the algorithms supported here: https://xmrig.com/docs/algorithms.

[freakovision]

But why I had problems with nanopool, do you have any idea? I'm pinging nanopool and it's responding, so nothing blocks it. What the hell?

[UnamSanctam]

Good question, I believe it should work and haven't seen any problems. When you changed pool did any workers appear?

[freakovision]

When I manually killed the miner process on slave PC it appeared,

[UnamSanctam]

Yeah the XMR miner will only retrieve the 'Remote Configure' on the startup of the miner. If it appeared then there was something wrong with the pool connection, very weird.

[freakovision]

Process died again.

[UnamSanctam]

Hmm, the XMR miner should theoretically never close itself due to how XMRig works and I've never seen it happen either so I'm not sure how that is happening. Try using something other than MinerGate since they are notorious for having bad servers.

[freakovision]

Could VPN be the source of the problem?

[UnamSanctam]

Yes definitely, the pool could be blocking the VPN IP which isn't that uncommon or there could be some other thing blocking or interfering with the connection.

[freakovision]

I keep getting views on pastebin but there is no hashrate.

[UnamSanctam]

Try running it yourself, does it use any CPU usage? Also make sure that all the settings are correct in the pastebin.

[freakovision]

Everything works on my PC.

[UnamSanctam]

Then it should work, it can't use any CPU unless it gets a job from the pool, can you send the pastebin content here but censor the wallet address in case anything is incorrect?