SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kingminer (Back to overview)

Kingminer


There is no description at this point.

References
2022-05-18Trend MicroBuddy Tancio, Jed Valderama
@online{tancio:20220518:uncovering:2ee6eb7, author = {Buddy Tancio and Jed Valderama}, title = {{Uncovering a Kingminer Botnet Attack Using Trend Micro™ Managed XDR}}, date = {2022-05-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html}, language = {English}, urldate = {2022-05-25} } Uncovering a Kingminer Botnet Attack Using Trend Micro™ Managed XDR
Kingminer
2022-03-16AhnLabASEC Analysis Team
@online{team:20220316:gh0stcringe:65e2d3e, author = {ASEC Analysis Team}, title = {{Gh0stCringe RAT Being Distributed to Vulnerable Database Servers}}, date = {2022-03-16}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/32572/}, language = {English}, urldate = {2022-04-14} } Gh0stCringe RAT Being Distributed to Vulnerable Database Servers
Ghost RAT Kingminer
2022-02-22Bleeping ComputerBill Toulas
@online{toulas:20220222:vulnerable:80109eb, author = {Bill Toulas}, title = {{Vulnerable Microsoft SQL Servers targeted with Cobalt Strike}}, date = {2022-02-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/}, language = {English}, urldate = {2022-02-26} } Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck
2020-07-08BitdefenderJanos Gergo Szeles, Bogdan Botezatu
@techreport{szeles:20200708:kingminer:f864cae, author = {Janos Gergo Szeles and Bogdan Botezatu}, title = {{Kingminer –a Crypto-Jacking Botnet Under the Scope}}, date = {2020-07-08}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/354/Bitdefender-PR-Whitepaper-KingMiner-creat4610-en-EN-GenericUse.pdf}, language = {English}, urldate = {2022-02-16} } Kingminer –a Crypto-Jacking Botnet Under the Scope
Kingminer
2020-06-09Sophos LabsGabor Szappanos, Vikas Singh
@online{szappanos:20200609:kingminer:0efadc6, author = {Gabor Szappanos and Vikas Singh}, title = {{Kingminer escalates attack complexity for cryptomining}}, date = {2020-06-09}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/06/09/kingminer-report/}, language = {English}, urldate = {2022-02-16} } Kingminer escalates attack complexity for cryptomining
Kingminer
2020-06-01Sophos LabsGabor Szappanos, Vikas Singh
@techreport{szappanos:20200601:increasingly:2606314, author = {Gabor Szappanos and Vikas Singh}, title = {{THE INCREASINGLY COMPLEX KINGMINER BOTNET}}, date = {2020-06-01}, institution = {Sophos Labs}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf}, language = {English}, urldate = {2021-04-09} } THE INCREASINGLY COMPLEX KINGMINER BOTNET
Kingminer
Yara Rules
[TLP:WHITE] win_kingminer_auto (20230125 | Detects win.kingminer.)
rule win_kingminer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.kingminer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5f c7463800000000 8bc6 33cd }
            // n = 4, score = 100
            //   5f                   | pop                 edi
            //   c7463800000000       | mov                 dword ptr [esi + 0x38], 0
            //   8bc6                 | mov                 eax, esi
            //   33cd                 | xor                 ecx, ebp

        $sequence_1 = { c745ec8b45fc8b c745f0cf8b7050 66c745f48bd6 e8???????? }
            // n = 4, score = 100
            //   c745ec8b45fc8b       | mov                 dword ptr [ebp - 0x14], 0x8bfc458b
            //   c745f0cf8b7050       | mov                 dword ptr [ebp - 0x10], 0x50708bcf
            //   66c745f48bd6         | mov                 word ptr [ebp - 0xc], 0xd68b
            //   e8????????           |                     

        $sequence_2 = { 03348540090110 8b45f8 8b00 8906 8b45fc 8a00 884604 }
            // n = 7, score = 100
            //   03348540090110       | add                 esi, dword ptr [eax*4 + 0x10010940]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8a00                 | mov                 al, byte ptr [eax]
            //   884604               | mov                 byte ptr [esi + 4], al

        $sequence_3 = { 57 52 ff15???????? 57 ff15???????? a1???????? }
            // n = 6, score = 100
            //   57                   | push                edi
            //   52                   | push                edx
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   a1????????           |                     

        $sequence_4 = { 8bc7 c745f033ff8b56 c745f4208bcbe8 e8???????? 83c408 }
            // n = 5, score = 100
            //   8bc7                 | mov                 eax, edi
            //   c745f033ff8b56       | mov                 dword ptr [ebp - 0x10], 0x568bff33
            //   c745f4208bcbe8       | mov                 dword ptr [ebp - 0xc], 0xe8cb8b20
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_5 = { 3bf0 741e 68c1000000 ff15???????? 5b }
            // n = 5, score = 100
            //   3bf0                 | cmp                 esi, eax
            //   741e                 | je                  0x20
            //   68c1000000           | push                0xc1
            //   ff15????????         |                     
            //   5b                   | pop                 ebx

        $sequence_6 = { 68???????? ff15???????? 8b7508 c7465c88d00010 }
            // n = 4, score = 100
            //   68????????           |                     
            //   ff15????????         |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   c7465c88d00010       | mov                 dword ptr [esi + 0x5c], 0x1000d088

        $sequence_7 = { 6a01 ff15???????? 6a00 ff15???????? 8b17 }
            // n = 5, score = 100
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8b17                 | mov                 edx, dword ptr [edi]

        $sequence_8 = { 8b7508 8d34f518f20010 391e 7404 8bc7 }
            // n = 5, score = 100
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8d34f518f20010       | lea                 esi, [esi*8 + 0x1000f218]
            //   391e                 | cmp                 dword ptr [esi], ebx
            //   7404                 | je                  6
            //   8bc7                 | mov                 eax, edi

        $sequence_9 = { 57 ff15???????? 6a00 57 ff15???????? 8bf0 a1???????? }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   a1????????           |                     

    condition:
        7 of them and filesize < 165888
}
Download all Yara Rules