SYMBOLCOMMON_NAMEaka. SYNONYMS
win.coinminer (Back to overview)

Coinminer

VTCollection    

Coinminer is an unwanted malicious software which uses the victim's computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim's consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.

References
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-30CiscoVanja Svajcer
ModernLoader delivers multiple stealers, cryptominers and RATs
Coinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC
2022-01-01Triskele LabsBrecht Snijders
Investigating a Monero Coin Miner
Coinminer
2021-01-18The DFIR ReportThe DFIR Report
All That for a Coinminer?
Coinminer Monero Miner
2018-01-17Malwarebyteshasherezade
A coin miner with a “Heaven’s Gate”
Coinminer
2018-01-01Malwarebyteshasherezade
A coin miner with a “Heaven’s Gate”
Coinminer
2017-07-30Secrary BlogSecrary
CoinMiner
Coinminer
Yara Rules
[TLP:WHITE] win_coinminer_auto (20230808 | Detects win.coinminer.)
rule win_coinminer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.coinminer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85d2 750d 8b45f8 8b55fc 5f 5e }
            // n = 6, score = 100
            //   85d2                 | test                edx, edx
            //   750d                 | jne                 0xf
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_1 = { 8d7f04 73ef 83c104 8a10 7410 48 ffc0 }
            // n = 7, score = 100
            //   8d7f04               | lea                 edi, [edi + 4]
            //   73ef                 | jae                 0xfffffff1
            //   83c104               | add                 ecx, 4
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   7410                 | je                  0x12
            //   48                   | dec                 eax
            //   ffc0                 | inc                 eax

        $sequence_2 = { e9???????? 6a00 ff742414 ffd6 ff742414 8b3d???????? ffd7 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   6a00                 | push                0
            //   ff742414             | push                dword ptr [esp + 0x14]
            //   ffd6                 | call                esi
            //   ff742414             | push                dword ptr [esp + 0x14]
            //   8b3d????????         |                     
            //   ffd7                 | call                edi

        $sequence_3 = { c3 8bc6 c745f200000000 99 0f57c0 66c745f60000 660fd645ea }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   8bc6                 | mov                 eax, esi
            //   c745f200000000       | mov                 dword ptr [ebp - 0xe], 0
            //   99                   | cdq                 
            //   0f57c0               | xorps               xmm0, xmm0
            //   66c745f60000         | mov                 word ptr [ebp - 0xa], 0
            //   660fd645ea           | movq                qword ptr [ebp - 0x16], xmm0

        $sequence_4 = { 8bf0 e8???????? 8bf8 8d842450130000 }
            // n = 4, score = 100
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   8d842450130000       | lea                 eax, [esp + 0x1350]

        $sequence_5 = { 53 56 8b35???????? 8bd9 57 8b3d???????? }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b35????????         |                     
            //   8bd9                 | mov                 ebx, ecx
            //   57                   | push                edi
            //   8b3d????????         |                     

        $sequence_6 = { 57 ff15???????? c70300000000 8b4510 5f c70600000000 5e }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   c70300000000         | mov                 dword ptr [ebx], 0
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   5f                   | pop                 edi
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   5e                   | pop                 esi

        $sequence_7 = { 9b 53 83473220 2c6a }
            // n = 4, score = 100
            //   9b                   | wait                
            //   53                   | push                ebx
            //   83473220             | add                 dword ptr [edi + 0x32], 0x20
            //   2c6a                 | sub                 al, 0x6a

        $sequence_8 = { 8d842434010000 50 ff15???????? 56 e8???????? 57 }
            // n = 6, score = 100
            //   8d842434010000       | lea                 eax, [esp + 0x134]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   57                   | push                edi

        $sequence_9 = { 83c408 890d???????? 8bf2 8935???????? 85c9 7504 85f6 }
            // n = 7, score = 100
            //   83c408               | add                 esp, 8
            //   890d????????         |                     
            //   8bf2                 | mov                 esi, edx
            //   8935????????         |                     
            //   85c9                 | test                ecx, ecx
            //   7504                 | jne                 6
            //   85f6                 | test                esi, esi

    condition:
        7 of them and filesize < 1523712
}
Download all Yara Rules