Minergate

Minergate is a generic detection name used in reference to a large family of cryptocurrency miners released in the last week of November 2017. The Minergate mining tools are programs based on the XMRig Trojan, which we covered in September 2017 and continued to record new variants in the following months. The Minergate mining software is delivered to PC users via fake software updates to Java, Adobe Flash, the Windows fonts repository, Google Chrome and Mozilla Firefox. We have recorded more than forty variants of the Minergate mining Trojans as of December 4th, 2017. Computer security analysts say that the rise in price for cryptocurrencies like Bitcoin, Monero, and Ethirium is likely to be a catalyst for the continuous development of Mining Trojans in 2018.

The strains of Minergate are slightly modified versions of the original program. The Minergate Trojans are designed to perform complex calculations and verify payments performed with Bitcoin, Monero, Dogecoin, Litecoin and Ethirium. The range of digital coins supported by Minergate may expand considering it is comparatively easy to obtain a copy of XMRig and modify it. AV companies are known to flag the objects associated with the Minergate wave of mining tools using detection names like — Trojan:Win64/CoinMiner, Trojan.Win32.Generic!BT, TR/CoinMiner.ME, JS:Miner-C, Win64:Rootkit-gen [Rtk], HEUR/Malware.QVM18.Gen, Win32:GenMalicious-HFA [Trj], PUP/Win64.BitCoinMiner.R190714, Unwanted-Program ( 004fc8691 ) and Trojan.Amonetize. The following process names might be displayed in the Task Manager of compromised systems:

Affada.exe, AppxadsulP.exe, Bot.exe, Cppredistx86.exe, Cpucheck.exe, DirectX11b.exe, Helper.exe, Image.exe, Install6.exe, Mess.exe, Msvc.exe, Musallat.exe, NVIDIA.exe, Nheqminer.exe, Nsgpucnminer.exe, Optimizer.exe, Sc.exe, Test.exe, Update_new.exe, VideoCardUpd, Vlngp1.exe, Windows-upt.exe, Wupdate.exe, XMgrenim.exe, Zcash.exe, minergate.exe, runhosts.exe, slmgr32.exe, svchostr.exe, synctask.exe, sysConfig.bat, uninstaller.exe, vnlgp.exe, winin1t.exe, Up.exe, Wniheuzori.exe, slove.exe, wuauclt.exe, Xmriig.exe, Vlngp1.exe, Platforms.exe, Xm86.exeVshub.exe, Svshost.exe, Zqeyx aaxo.exe, Nvdisplay.exe, Anydeskapp.exe, GEN.exe, Hjhdgshjef.exe, Svchose.exe, Qc64.exe, Duckgo.exe, Iconrdb.exe

You should note that the BlackHat hackers behind the Minergate Trojans are using file names associated with legitimate products like Nvidia Experience, CPU Check, svchost.exe, and Windows Update to minimize the risk of being detected by VAV tools. Even experienced users may not distinguish a fake one from a legitimate process when searching for the Minergate program. Tools like the Minergate, which are used to hijack system resources on remote computers can cause system instability, increased electricity bills and increased heat in the computer case. PC users are advised to use a trusted anti-malware scanner to find and eliminate the Minergate variants safely. The following folders are created by the Minergate malware, but they may be used by legitimate apps as well so that you should exercise caution:

C:\Program Files\G89CXYP6N9\
C:\Program Files\Internet Explorer\BCDNJTWLUX
C:\Program Files\jetstrmedia\netmedia
C:\ProgramData\AppxadsulP
C:\ProgramData\CupCheck
C:\ProgramData\DirectX11b
C:\ProgramData\Microsoft\DhcQ
C:\ProgramData\Natihial
C:\Users\\App Data\Local Low\Microsoft\
C:\Users\\App Data\Local Low\Microsoft\
C:\Users\\App Data\Local Low\Microsoft\Windows\System32\Recovery
C:\Users\\App Data\Local Low\Microsoft\directx11b
C:\Users\\App Data\Local Low\Microsoft\framework
C:\Users\\App Data\Local Low\Microsoft\microsoftcom
C:\Users\\App Data\Local Low\Microsoft\natihial
C:\Users\\App Data\Local Low\Microsoft\windowssql
C:\Users\\App Data\Local Low\SLMgr
C:\Users\\App Data\Local Low\wupdate
C:\Users\\App Data\Local\Optimizer
C:\Users\\App Data\Local\Temp
C:\Users\\App Data\Local\Temp\1400.tmp
C:\Users\\App Data\Microsoft\Windows
C:\Users\\App Data\Roaming\FastCh
C:\Users\\App Data\Roaming\Server\
C:\Users\\App Data\Roaming\Windows_x64_nhqeminer-5c
C:\Users\\App Data\Roaming\bodor
C:\Users\\App Data\Roaming\images
C:\Users\\App Data\Roaming\vnlgp\vnlgp
C:\Users\\App Data\Roaming\xmgcach
C:\Users\\App Data\Roaming\xmgcash
C:\Users\\App Data\VideoCardUpdater\
C:\Windows\Temp\6E34.tmp\
C:\Windows\slove\
C:\Winsys\
C:\Program Files\29044DMFYR\
C:\Program Files\ALQNKUM7O1
C:\Program Files\Client\
C:\Program Files\HPLion
C:\Program Files\Microleaves\Online Application\Version 2.6.0\
C:\Users||AppData\Roaming\HWmonitorApp
C:\Windows\Microsoft\Svchost.exe.update
C:\Windows\Windows\9473a2fafe204da49741664f96907b44
C:\Windows\dsp
AppData\AnyDeskApp
AppData\CloudPrinter
AppData\Codec
AppData\Interl Management
AppData\Local\GenericTools
AppData\Local\Programs\Gen
AppData\Local\Temp\is-2PMDK.tmp
AppData\Roaming\AGData\bin
AppData\Roaming\HWmonitorApp
AppData\Ronzap
C:\Windows
C:\Windows\Microsoft\Svchost.exe.update
C:\Windows\Windows\9473a2fafe204da49741664f96907b44
C:\Windows\aadhdgh
C:\Windows\dsp
Program Files (x86)\KvUg2SbQotRx
Program Files\29044DMFYR\
Program Files\ALQNKUM7O1
Program Files\Client\
Program Files\HPLion
Program Files\Microleaves\Online Application\Version 2.6.0\
ProgramData\WindowsVolume

Table of Contents

Toggle

SpyHunter Detects & Remove Minergate