SYMBOLCOMMON_NAMEaka. SYNONYMS
win.coinminer (Back to overview)

Coinminer


Coinminer is an unwanted malicious software which uses the victim's computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim's consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.

References
2021-01-18The DFIR ReportThe DFIR Report
@online{report:20210118:all:daed9a4, author = {The DFIR Report}, title = {{All That for a Coinminer?}}, date = {2021-01-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/}, language = {English}, urldate = {2021-01-21} } All That for a Coinminer?
Coinminer Monero Miner
2018-01Malwarebyteshasherezade
@online{hasherezade:201801:coin:7ef1583, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/}, language = {English}, urldate = {2019-12-04} } A coin miner with a “Heaven’s Gate”
Coinminer
2017-07-30Secrary BlogSecrary
@online{secrary:20170730:coinminer:2c3de72, author = {Secrary}, title = {{CoinMiner}}, date = {2017-07-30}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/CoinMiner/}, language = {English}, urldate = {2020-01-06} } CoinMiner
Coinminer
Yara Rules
[TLP:WHITE] win_coinminer_auto (20211008 | Detects win.coinminer.)
rule win_coinminer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.coinminer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c0 81fe02010000 0f94c0 85c0 7421 c744240c01000000 e8???????? }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   81fe02010000         | cmp                 esi, 0x102
            //   0f94c0               | sete                al
            //   85c0                 | test                eax, eax
            //   7421                 | je                  0x23
            //   c744240c01000000     | mov                 dword ptr [esp + 0xc], 1
            //   e8????????           |                     

        $sequence_1 = { c4890633c06c bf3bdbbdfd 7429 8b06 a2???????? 3f 751b }
            // n = 7, score = 100
            //   c4890633c06c         | les                 ecx, ptr [ecx + 0x6cc03306]
            //   bf3bdbbdfd           | mov                 edi, 0xfdbddb3b
            //   7429                 | je                  0x2b
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   a2????????           |                     
            //   3f                   | aas                 
            //   751b                 | jne                 0x1d

        $sequence_2 = { 8945c0 8bc1 8955c4 99 660f1345c8 8945d0 8955d4 }
            // n = 7, score = 100
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   8bc1                 | mov                 eax, ecx
            //   8955c4               | mov                 dword ptr [ebp - 0x3c], edx
            //   99                   | cdq                 
            //   660f1345c8           | movlpd              qword ptr [ebp - 0x38], xmm0
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   8955d4               | mov                 dword ptr [ebp - 0x2c], edx

        $sequence_3 = { 8b75e8 b928000000 8bc1 83e003 }
            // n = 4, score = 100
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]
            //   b928000000           | mov                 ecx, 0x28
            //   8bc1                 | mov                 eax, ecx
            //   83e003               | and                 eax, 3

        $sequence_4 = { 48 83c308 ebd6 ffa6b4700800 48 83c428 48 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   83c308               | add                 ebx, 8
            //   ebd6                 | jmp                 0xffffffd8
            //   ffa6b4700800         | jmp                 dword ptr [esi + 0x870b4]
            //   48                   | dec                 eax
            //   83c428               | add                 esp, 0x28
            //   48                   | dec                 eax

        $sequence_5 = { 184a12 9c 8bf0 8bc2 89742420 5a ba9fcdf310 }
            // n = 7, score = 100
            //   184a12               | sbb                 byte ptr [edx + 0x12], cl
            //   9c                   | pushfd              
            //   8bf0                 | mov                 esi, eax
            //   8bc2                 | mov                 eax, edx
            //   89742420             | mov                 dword ptr [esp + 0x20], esi
            //   5a                   | pop                 edx
            //   ba9fcdf310           | mov                 edx, 0x10f3cd9f

        $sequence_6 = { 7e58 bc80304a3e 60 4c 1c00 59 6443 }
            // n = 7, score = 100
            //   7e58                 | jle                 0x5a
            //   bc80304a3e           | mov                 esp, 0x3e4a3080
            //   60                   | pushal              
            //   4c                   | dec                 esp
            //   1c00                 | sbb                 al, 0
            //   59                   | pop                 ecx
            //   6443                 | inc                 ebx

        $sequence_7 = { 6c 82e5f2 03f4 56 25a32b50fd }
            // n = 5, score = 100
            //   6c                   | insb                byte ptr es:[edi], dx
            //   82e5f2               | and                 ch, 0xf2
            //   03f4                 | add                 esi, esp
            //   56                   | push                esi
            //   25a32b50fd           | and                 eax, 0xfd502ba3

        $sequence_8 = { 81fa80000000 7c0e 0fba25????????01 0f82b8290000 57 }
            // n = 5, score = 100
            //   81fa80000000         | cmp                 edx, 0x80
            //   7c0e                 | jl                  0x10
            //   0fba25????????01     |                     
            //   0f82b8290000         | jb                  0x29be
            //   57                   | push                edi

        $sequence_9 = { 0f855a010000 85d2 0f8552010000 8d842494000000 }
            // n = 4, score = 100
            //   0f855a010000         | jne                 0x160
            //   85d2                 | test                edx, edx
            //   0f8552010000         | jne                 0x158
            //   8d842494000000       | lea                 eax, dword ptr [esp + 0x94]

    condition:
        7 of them and filesize < 1523712
}
Download all Yara Rules