SYMBOLCOMMON_NAMEaka. SYNONYMS
win.coinminer (Back to overview)

Coinminer

Coinminer is an unwanted malicious software which uses the victim's computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim's consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.

References
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-30CiscoVanja Svajcer
@online{svajcer:20220830:modernloader:5b62dce, author = {Vanja Svajcer}, title = {{ModernLoader delivers multiple stealers, cryptominers and RATs}}, date = {2022-08-30}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html}, language = {English}, urldate = {2022-08-31} } ModernLoader delivers multiple stealers, cryptominers and RATs
Coinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC
2022Triskele LabsBrecht Snijders
@online{snijders:2022:investigating:780a051, author = {Brecht Snijders}, title = {{Investigating a Monero Coin Miner}}, date = {2022}, organization = {Triskele Labs}, url = {https://www.triskelelabs.com/investigating-monero-coin-miner}, language = {English}, urldate = {2022-08-31} } Investigating a Monero Coin Miner
Coinminer
2021-01-18The DFIR ReportThe DFIR Report
@online{report:20210118:all:daed9a4, author = {The DFIR Report}, title = {{All That for a Coinminer?}}, date = {2021-01-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/}, language = {English}, urldate = {2021-01-21} } All That for a Coinminer?
Coinminer Monero Miner
2018-01-17Malwarebyteshasherezade
@online{hasherezade:20180117:coin:6f17887, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/}, language = {English}, urldate = {2022-01-24} } A coin miner with a “Heaven’s Gate”
Coinminer
2018-01Malwarebyteshasherezade
@online{hasherezade:201801:coin:7ef1583, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/}, language = {English}, urldate = {2019-12-04} } A coin miner with a “Heaven’s Gate”
Coinminer
2017-07-30Secrary BlogSecrary
@online{secrary:20170730:coinminer:2c3de72, author = {Secrary}, title = {{CoinMiner}}, date = {2017-07-30}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/CoinMiner/}, language = {English}, urldate = {2020-01-06} } CoinMiner
Coinminer
Yara Rules
[TLP:WHITE] win_coinminer_auto (20230715 | Detects win.coinminer.)
rule win_coinminer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.coinminer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff742420 ff15???????? 83c604 83fe0c }
            // n = 4, score = 100
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   ff15????????         |                     
            //   83c604               | add                 esi, 4
            //   83fe0c               | cmp                 esi, 0xc

        $sequence_1 = { 8b04c50c509000 5d c3 55 }
            // n = 4, score = 100
            //   8b04c50c509000       | mov                 eax, dword ptr [eax*8 + 0x90500c]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_2 = { 897c240c 8bcf 89442408 0bc8 0f84c7000000 8d4c2430 }
            // n = 6, score = 100
            //   897c240c             | mov                 dword ptr [esp + 0xc], edi
            //   8bcf                 | mov                 ecx, edi
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   0bc8                 | or                  ecx, eax
            //   0f84c7000000         | je                  0xcd
            //   8d4c2430             | lea                 ecx, [esp + 0x30]

        $sequence_3 = { f3a5 f30f7f442460 c644243f00 33c0 }
            // n = 4, score = 100
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   f30f7f442460         | movdqu              xmmword ptr [esp + 0x60], xmm0
            //   c644243f00           | mov                 byte ptr [esp + 0x3f], 0
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 8944242c 85c0 0f849c000000 8d4c2438 51 6800100000 }
            // n = 6, score = 100
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   85c0                 | test                eax, eax
            //   0f849c000000         | je                  0xa2
            //   8d4c2438             | lea                 ecx, [esp + 0x38]
            //   51                   | push                ecx
            //   6800100000           | push                0x1000

        $sequence_5 = { 33c0 0f57c0 6689842450070000 33f6 660f13442440 }
            // n = 5, score = 100
            //   33c0                 | xor                 eax, eax
            //   0f57c0               | xorps               xmm0, xmm0
            //   6689842450070000     | mov                 word ptr [esp + 0x750], ax
            //   33f6                 | xor                 esi, esi
            //   660f13442440         | movlpd              qword ptr [esp + 0x40], xmm0

        $sequence_6 = { 897de4 85ff 750d 0f57c0 660f1345f8 e9???????? }
            // n = 6, score = 100
            //   897de4               | mov                 dword ptr [ebp - 0x1c], edi
            //   85ff                 | test                edi, edi
            //   750d                 | jne                 0xf
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f1345f8           | movlpd              qword ptr [ebp - 8], xmm0
            //   e9????????           |                     

        $sequence_7 = { 6a00 ff15???????? 8bf0 85f6 7420 6a00 8d45f8 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7420                 | je                  0x22
            //   6a00                 | push                0
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_8 = { 83ec0c 57 6a00 6a00 6a03 6a00 6a01 }
            // n = 7, score = 100
            //   83ec0c               | sub                 esp, 0xc
            //   57                   | push                edi
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_9 = { 50 ff742420 ff15???????? 8b7c242c 33f6 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   ff15????????         |                     
            //   8b7c242c             | mov                 edi, dword ptr [esp + 0x2c]
            //   33f6                 | xor                 esi, esi

    condition:
        7 of them and filesize < 1523712
}
Download all Yara Rules