SYMBOLCOMMON_NAMEaka. SYNONYMS
win.coinminer (Back to overview)

Coinminer


Coinminer is an unwanted malicious software which uses the victim's computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim's consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.

References
2021-01-18The DFIR ReportThe DFIR Report
@online{report:20210118:all:daed9a4, author = {The DFIR Report}, title = {{All That for a Coinminer?}}, date = {2021-01-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/}, language = {English}, urldate = {2021-01-21} } All That for a Coinminer?
Coinminer Monero Miner
2018-01-17Malwarebyteshasherezade
@online{hasherezade:20180117:coin:6f17887, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/}, language = {English}, urldate = {2022-01-24} } A coin miner with a “Heaven’s Gate”
Coinminer
2018-01Malwarebyteshasherezade
@online{hasherezade:201801:coin:7ef1583, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/}, language = {English}, urldate = {2019-12-04} } A coin miner with a “Heaven’s Gate”
Coinminer
2017-07-30Secrary BlogSecrary
@online{secrary:20170730:coinminer:2c3de72, author = {Secrary}, title = {{CoinMiner}}, date = {2017-07-30}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/CoinMiner/}, language = {English}, urldate = {2020-01-06} } CoinMiner
Coinminer
Yara Rules
[TLP:WHITE] win_coinminer_auto (20220516 | Detects win.coinminer.)
rule win_coinminer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.coinminer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d8530faffff 8945fc 85c0 7463 8b8d10feffff 8b8514feffff 85c9 }
            // n = 7, score = 100
            //   8d8530faffff         | lea                 eax, [ebp - 0x5d0]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   85c0                 | test                eax, eax
            //   7463                 | je                  0x65
            //   8b8d10feffff         | mov                 ecx, dword ptr [ebp - 0x1f0]
            //   8b8514feffff         | mov                 eax, dword ptr [ebp - 0x1ec]
            //   85c9                 | test                ecx, ecx

        $sequence_1 = { 8d7f04 73ef 83c104 8a10 7410 48 ffc0 }
            // n = 7, score = 100
            //   8d7f04               | lea                 edi, [edi + 4]
            //   73ef                 | jae                 0xfffffff1
            //   83c104               | add                 ecx, 4
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   7410                 | je                  0x12
            //   48                   | dec                 eax
            //   ffc0                 | inc                 eax

        $sequence_2 = { 0b442408 0f8499fdffff 68a00f0000 ff15???????? 8b74242c e9???????? }
            // n = 6, score = 100
            //   0b442408             | or                  eax, dword ptr [esp + 8]
            //   0f8499fdffff         | je                  0xfffffd9f
            //   68a00f0000           | push                0xfa0
            //   ff15????????         |                     
            //   8b74242c             | mov                 esi, dword ptr [esp + 0x2c]
            //   e9????????           |                     

        $sequence_3 = { 8bf0 85f6 7420 6a00 8d45f8 50 }
            // n = 6, score = 100
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7420                 | je                  0x22
            //   6a00                 | push                0
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax

        $sequence_4 = { c1f805 83e11f c1e106 83c10c 8b0485a05f9a00 }
            // n = 5, score = 100
            //   c1f805               | sar                 eax, 5
            //   83e11f               | and                 ecx, 0x1f
            //   c1e106               | shl                 ecx, 6
            //   83c10c               | add                 ecx, 0xc
            //   8b0485a05f9a00       | mov                 eax, dword ptr [eax*4 + 0x9a5fa0]

        $sequence_5 = { 85f6 7412 8d44240c 50 }
            // n = 4, score = 100
            //   85f6                 | test                esi, esi
            //   7412                 | je                  0x14
            //   8d44240c             | lea                 eax, [esp + 0xc]
            //   50                   | push                eax

        $sequence_6 = { 83ec20 ffd5 48 8d87af010000 80207f 8060287f 4c }
            // n = 7, score = 100
            //   83ec20               | sub                 esp, 0x20
            //   ffd5                 | call                ebp
            //   48                   | dec                 eax
            //   8d87af010000         | lea                 eax, [edi + 0x1af]
            //   80207f               | and                 byte ptr [eax], 0x7f
            //   8060287f             | and                 byte ptr [eax + 0x28], 0x7f
            //   4c                   | dec                 esp

        $sequence_7 = { 85c0 7504 85d2 744f }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   7504                 | jne                 6
            //   85d2                 | test                edx, edx
            //   744f                 | je                  0x51

        $sequence_8 = { 8a10 7410 48 ffc0 }
            // n = 4, score = 100
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   7410                 | je                  0x12
            //   48                   | dec                 eax
            //   ffc0                 | inc                 eax

        $sequence_9 = { 18d2 be830fe38b d80a 8b4485db 3cca }
            // n = 5, score = 100
            //   18d2                 | sbb                 dl, dl
            //   be830fe38b           | mov                 esi, 0x8be30f83
            //   d80a                 | fmul                dword ptr [edx]
            //   8b4485db             | mov                 eax, dword ptr [ebp + eax*4 - 0x25]
            //   3cca                 | cmp                 al, 0xca

    condition:
        7 of them and filesize < 1523712
}
Download all Yara Rules