SYMBOLCOMMON_NAMEaka. SYNONYMS
win.coinminer (Back to overview)

Coinminer


Coinminer is an unwanted malicious software which uses the victim's computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim's consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.

References
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-30CiscoVanja Svajcer
@online{svajcer:20220830:modernloader:5b62dce, author = {Vanja Svajcer}, title = {{ModernLoader delivers multiple stealers, cryptominers and RATs}}, date = {2022-08-30}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html}, language = {English}, urldate = {2022-08-31} } ModernLoader delivers multiple stealers, cryptominers and RATs
Coinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC
2022Triskele LabsBrecht Snijders
@online{snijders:2022:investigating:780a051, author = {Brecht Snijders}, title = {{Investigating a Monero Coin Miner}}, date = {2022}, organization = {Triskele Labs}, url = {https://www.triskelelabs.com/investigating-monero-coin-miner}, language = {English}, urldate = {2022-08-31} } Investigating a Monero Coin Miner
Coinminer
2021-01-18The DFIR ReportThe DFIR Report
@online{report:20210118:all:daed9a4, author = {The DFIR Report}, title = {{All That for a Coinminer?}}, date = {2021-01-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/}, language = {English}, urldate = {2021-01-21} } All That for a Coinminer?
Coinminer Monero Miner
2018-01-17Malwarebyteshasherezade
@online{hasherezade:20180117:coin:6f17887, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/}, language = {English}, urldate = {2022-01-24} } A coin miner with a “Heaven’s Gate”
Coinminer
2018-01Malwarebyteshasherezade
@online{hasherezade:201801:coin:7ef1583, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/}, language = {English}, urldate = {2019-12-04} } A coin miner with a “Heaven’s Gate”
Coinminer
2017-07-30Secrary BlogSecrary
@online{secrary:20170730:coinminer:2c3de72, author = {Secrary}, title = {{CoinMiner}}, date = {2017-07-30}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/CoinMiner/}, language = {English}, urldate = {2020-01-06} } CoinMiner
Coinminer
Yara Rules
[TLP:WHITE] win_coinminer_auto (20221125 | Detects win.coinminer.)
rule win_coinminer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.coinminer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83e61f c1f805 c1e606 8b0485a05f9a00 }
            // n = 4, score = 100
            //   83e61f               | and                 esi, 0x1f
            //   c1f805               | sar                 eax, 5
            //   c1e606               | shl                 esi, 6
            //   8b0485a05f9a00       | mov                 eax, dword ptr [eax*4 + 0x9a5fa0]

        $sequence_1 = { 8bcb 8d41bf 6683f819 7703 83c120 0fb73a 8d47bf }
            // n = 7, score = 100
            //   8bcb                 | mov                 ecx, ebx
            //   8d41bf               | lea                 eax, [ecx - 0x41]
            //   6683f819             | cmp                 ax, 0x19
            //   7703                 | ja                  5
            //   83c120               | add                 ecx, 0x20
            //   0fb73a               | movzx               edi, word ptr [edx]
            //   8d47bf               | lea                 eax, [edi - 0x41]

        $sequence_2 = { 660f1345c8 8945d0 8955d4 8965fc 83e4f0 }
            // n = 5, score = 100
            //   660f1345c8           | movlpd              qword ptr [ebp - 0x38], xmm0
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   8955d4               | mov                 dword ptr [ebp - 0x2c], edx
            //   8965fc               | mov                 dword ptr [ebp - 4], esp
            //   83e4f0               | and                 esp, 0xfffffff0

        $sequence_3 = { eb1a c745e43c639a00 a1???????? eb0c c745e444639a00 }
            // n = 5, score = 100
            //   eb1a                 | jmp                 0x1c
            //   c745e43c639a00       | mov                 dword ptr [ebp - 0x1c], 0x9a633c
            //   a1????????           |                     
            //   eb0c                 | jmp                 0xe
            //   c745e444639a00       | mov                 dword ptr [ebp - 0x1c], 0x9a6344

        $sequence_4 = { 8d8c24b0020000 e8???????? 8bf0 56 ff15???????? }
            // n = 5, score = 100
            //   8d8c24b0020000       | lea                 ecx, [esp + 0x2b0]
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_5 = { 8bf0 e8???????? 8bf8 8d8424c8000000 }
            // n = 4, score = 100
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   8d8424c8000000       | lea                 eax, [esp + 0xc8]

        $sequence_6 = { 6800000040 ff75f4 c745fc00000000 ff15???????? }
            // n = 4, score = 100
            //   6800000040           | push                0x40000000
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   ff15????????         |                     

        $sequence_7 = { 83ec08 53 8b1d???????? 8d45f8 56 57 }
            // n = 6, score = 100
            //   83ec08               | sub                 esp, 8
            //   53                   | push                ebx
            //   8b1d????????         |                     
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_8 = { 6804000008 6a00 6a00 6a00 8d842470070000 50 }
            // n = 6, score = 100
            //   6804000008           | push                0x8000004
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d842470070000       | lea                 eax, [esp + 0x770]
            //   50                   | push                eax

        $sequence_9 = { 83c104 8a10 7410 48 ffc0 8817 83e901 }
            // n = 7, score = 100
            //   83c104               | add                 ecx, 4
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   7410                 | je                  0x12
            //   48                   | dec                 eax
            //   ffc0                 | inc                 eax
            //   8817                 | mov                 byte ptr [edi], dl
            //   83e901               | sub                 ecx, 1

    condition:
        7 of them and filesize < 1523712
}
Download all Yara Rules