SYMBOLCOMMON_NAMEaka. SYNONYMS
win.coinminer (Back to overview)

Coinminer


Coinminer is an unwanted malicious software which uses the victim's computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim's consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.

References
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-30CiscoVanja Svajcer
@online{svajcer:20220830:modernloader:5b62dce, author = {Vanja Svajcer}, title = {{ModernLoader delivers multiple stealers, cryptominers and RATs}}, date = {2022-08-30}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html}, language = {English}, urldate = {2022-08-31} } ModernLoader delivers multiple stealers, cryptominers and RATs
Coinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC
2022Triskele LabsBrecht Snijders
@online{snijders:2022:investigating:780a051, author = {Brecht Snijders}, title = {{Investigating a Monero Coin Miner}}, date = {2022}, organization = {Triskele Labs}, url = {https://www.triskelelabs.com/investigating-monero-coin-miner}, language = {English}, urldate = {2022-08-31} } Investigating a Monero Coin Miner
Coinminer
2021-01-18The DFIR ReportThe DFIR Report
@online{report:20210118:all:daed9a4, author = {The DFIR Report}, title = {{All That for a Coinminer?}}, date = {2021-01-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/}, language = {English}, urldate = {2021-01-21} } All That for a Coinminer?
Coinminer Monero Miner
2018-01-17Malwarebyteshasherezade
@online{hasherezade:20180117:coin:6f17887, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/}, language = {English}, urldate = {2022-01-24} } A coin miner with a “Heaven’s Gate”
Coinminer
2018-01Malwarebyteshasherezade
@online{hasherezade:201801:coin:7ef1583, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/}, language = {English}, urldate = {2019-12-04} } A coin miner with a “Heaven’s Gate”
Coinminer
2017-07-30Secrary BlogSecrary
@online{secrary:20170730:coinminer:2c3de72, author = {Secrary}, title = {{CoinMiner}}, date = {2017-07-30}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/CoinMiner/}, language = {English}, urldate = {2020-01-06} } CoinMiner
Coinminer
Yara Rules
[TLP:WHITE] win_coinminer_auto (20230407 | Detects win.coinminer.)
rule win_coinminer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.coinminer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b8d24e5ffff 8b0485a05f9a00 f644010440 7409 803a1a 7504 33c0 }
            // n = 7, score = 100
            //   8b8d24e5ffff         | mov                 ecx, dword ptr [ebp - 0x1adc]
            //   8b0485a05f9a00       | mov                 eax, dword ptr [eax*4 + 0x9a5fa0]
            //   f644010440           | test                byte ptr [ecx + eax + 4], 0x40
            //   7409                 | je                  0xb
            //   803a1a               | cmp                 byte ptr [edx], 0x1a
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { 8b07 2500ffffff 0fc8 29f8 01d8 ab 48 }
            // n = 7, score = 100
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   2500ffffff           | and                 eax, 0xffffff00
            //   0fc8                 | bswap               eax
            //   29f8                 | sub                 eax, edi
            //   01d8                 | add                 eax, ebx
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   48                   | dec                 eax

        $sequence_2 = { 8d7608 660fd60f 8d7f08 8b048de8a18f00 ffe0 }
            // n = 5, score = 100
            //   8d7608               | lea                 esi, [esi + 8]
            //   660fd60f             | movq                qword ptr [edi], xmm1
            //   8d7f08               | lea                 edi, [edi + 8]
            //   8b048de8a18f00       | mov                 eax, dword ptr [ecx*4 + 0x8fa1e8]
            //   ffe0                 | jmp                 eax

        $sequence_3 = { c1e706 8b0c8da05f9a00 c644390400 85f6 740c 56 e8???????? }
            // n = 7, score = 100
            //   c1e706               | shl                 edi, 6
            //   8b0c8da05f9a00       | mov                 ecx, dword ptr [ecx*4 + 0x9a5fa0]
            //   c644390400           | mov                 byte ptr [ecx + edi + 4], 0
            //   85f6                 | test                esi, esi
            //   740c                 | je                  0xe
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_4 = { 8b443474 03c7 50 ff742420 ff15???????? }
            // n = 5, score = 100
            //   8b443474             | mov                 eax, dword ptr [esp + esi + 0x74]
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   ff15????????         |                     

        $sequence_5 = { 8413 d5cd 66b3d9 bb031fdc52 e2b4 c3 }
            // n = 6, score = 100
            //   8413                 | test                byte ptr [ebx], dl
            //   d5cd                 | aad                 0xcd
            //   66b3d9               | mov                 bl, 0xd9
            //   bb031fdc52           | mov                 ebx, 0x52dc1f03
            //   e2b4                 | loop                0xffffffb6
            //   c3                   | ret                 

        $sequence_6 = { 48 89f7 b900100600 b20d 48 89fb }
            // n = 6, score = 100
            //   48                   | dec                 eax
            //   89f7                 | mov                 edi, esi
            //   b900100600           | mov                 ecx, 0x61000
            //   b20d                 | mov                 dl, 0xd
            //   48                   | dec                 eax
            //   89fb                 | mov                 ebx, edi

        $sequence_7 = { 8b4c2420 e8???????? 83c410 85c0 0f841c010000 8b542440 8b4c2420 }
            // n = 7, score = 100
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   0f841c010000         | je                  0x122
            //   8b542440             | mov                 edx, dword ptr [esp + 0x40]
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]

        $sequence_8 = { 668975e8 8b45e8 40 660f1345f8 }
            // n = 4, score = 100
            //   668975e8             | mov                 word ptr [ebp - 0x18], si
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   40                   | inc                 eax
            //   660f1345f8           | movlpd              qword ptr [ebp - 8], xmm0

        $sequence_9 = { 7410 48 ffc0 8817 83e901 8a10 48 }
            // n = 7, score = 100
            //   7410                 | je                  0x12
            //   48                   | dec                 eax
            //   ffc0                 | inc                 eax
            //   8817                 | mov                 byte ptr [edi], dl
            //   83e901               | sub                 ecx, 1
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   48                   | dec                 eax

    condition:
        7 of them and filesize < 1523712
}
Download all Yara Rules