SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kingminer (Back to overview)

Kingminer


There is no description at this point.

References
2022-05-18Trend MicroBuddy Tancio, Jed Valderama
@online{tancio:20220518:uncovering:2ee6eb7, author = {Buddy Tancio and Jed Valderama}, title = {{Uncovering a Kingminer Botnet Attack Using Trend Micro™ Managed XDR}}, date = {2022-05-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html}, language = {English}, urldate = {2022-05-25} } Uncovering a Kingminer Botnet Attack Using Trend Micro™ Managed XDR
Kingminer
2022-03-16AhnLabASEC Analysis Team
@online{team:20220316:gh0stcringe:65e2d3e, author = {ASEC Analysis Team}, title = {{Gh0stCringe RAT Being Distributed to Vulnerable Database Servers}}, date = {2022-03-16}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/32572/}, language = {English}, urldate = {2022-04-14} } Gh0stCringe RAT Being Distributed to Vulnerable Database Servers
Ghost RAT Kingminer
2022-02-22Bleeping ComputerBill Toulas
@online{toulas:20220222:vulnerable:80109eb, author = {Bill Toulas}, title = {{Vulnerable Microsoft SQL Servers targeted with Cobalt Strike}}, date = {2022-02-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/}, language = {English}, urldate = {2022-02-26} } Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck
2020-07-08BitdefenderJanos Gergo Szeles, Bogdan Botezatu
@techreport{szeles:20200708:kingminer:f864cae, author = {Janos Gergo Szeles and Bogdan Botezatu}, title = {{Kingminer –a Crypto-Jacking Botnet Under the Scope}}, date = {2020-07-08}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/354/Bitdefender-PR-Whitepaper-KingMiner-creat4610-en-EN-GenericUse.pdf}, language = {English}, urldate = {2022-02-16} } Kingminer –a Crypto-Jacking Botnet Under the Scope
Kingminer
2020-06-09Sophos LabsGabor Szappanos, Vikas Singh
@online{szappanos:20200609:kingminer:0efadc6, author = {Gabor Szappanos and Vikas Singh}, title = {{Kingminer escalates attack complexity for cryptomining}}, date = {2020-06-09}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/06/09/kingminer-report/}, language = {English}, urldate = {2022-02-16} } Kingminer escalates attack complexity for cryptomining
Kingminer
2020-06-01Sophos LabsGabor Szappanos, Vikas Singh
@techreport{szappanos:20200601:increasingly:2606314, author = {Gabor Szappanos and Vikas Singh}, title = {{THE INCREASINGLY COMPLEX KINGMINER BOTNET}}, date = {2020-06-01}, institution = {Sophos Labs}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf}, language = {English}, urldate = {2021-04-09} } THE INCREASINGLY COMPLEX KINGMINER BOTNET
Kingminer
Yara Rules
[TLP:WHITE] win_kingminer_auto (20220516 | Detects win.kingminer.)
rule win_kingminer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.kingminer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3010 40 49 75fa 8b0d???????? }
            // n = 5, score = 100
            //   3010                 | xor                 byte ptr [eax], dl
            //   40                   | inc                 eax
            //   49                   | dec                 ecx
            //   75fa                 | jne                 0xfffffffc
            //   8b0d????????         |                     

        $sequence_1 = { 50 57 e8???????? 83c408 85c0 74d8 8b7e3c }
            // n = 7, score = 100
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   74d8                 | je                  0xffffffda
            //   8b7e3c               | mov                 edi, dword ptr [esi + 0x3c]

        $sequence_2 = { 6a01 e8???????? 8b0d???????? 56 50 51 e8???????? }
            // n = 7, score = 100
            //   6a01                 | push                1
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   56                   | push                esi
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_3 = { b94c010000 66394f04 75af 53 8b5f38 f6c301 7570 }
            // n = 7, score = 100
            //   b94c010000           | mov                 ecx, 0x14c
            //   66394f04             | cmp                 word ptr [edi + 4], cx
            //   75af                 | jne                 0xffffffb1
            //   53                   | push                ebx
            //   8b5f38               | mov                 ebx, dword ptr [edi + 0x38]
            //   f6c301               | test                bl, 1
            //   7570                 | jne                 0x72

        $sequence_4 = { 0355fc 50 8b471c 6a04 6800100000 51 52 }
            // n = 7, score = 100
            //   0355fc               | add                 edx, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   8b471c               | mov                 eax, dword ptr [edi + 0x1c]
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   51                   | push                ecx
            //   52                   | push                edx

        $sequence_5 = { 7406 33c0 5d c21000 e8???????? }
            // n = 5, score = 100
            //   7406                 | je                  8
            //   33c0                 | xor                 eax, eax
            //   5d                   | pop                 ebp
            //   c21000               | ret                 0x10
            //   e8????????           |                     

        $sequence_6 = { 03c8 8d543112 eb5c 8d45cc 50 56 }
            // n = 6, score = 100
            //   03c8                 | add                 ecx, eax
            //   8d543112             | lea                 edx, [ecx + esi + 0x12]
            //   eb5c                 | jmp                 0x5e
            //   8d45cc               | lea                 eax, [ebp - 0x34]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_7 = { 72ee 33c0 5d c3 8b04c544cb0010 5d }
            // n = 6, score = 100
            //   72ee                 | jb                  0xfffffff0
            //   33c0                 | xor                 eax, eax
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b04c544cb0010       | mov                 eax, dword ptr [eax*8 + 0x1000cb44]
            //   5d                   | pop                 ebp

        $sequence_8 = { 8b4d08 8b11 8b45f8 0fb74a06 40 83c628 897dec }
            // n = 7, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   0fb74a06             | movzx               ecx, word ptr [edx + 6]
            //   40                   | inc                 eax
            //   83c628               | add                 esi, 0x28
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi

        $sequence_9 = { 8b95d0feffff 2b4234 7419 83b9a000000000 7466 50 }
            // n = 6, score = 100
            //   8b95d0feffff         | mov                 edx, dword ptr [ebp - 0x130]
            //   2b4234               | sub                 eax, dword ptr [edx + 0x34]
            //   7419                 | je                  0x1b
            //   83b9a000000000       | cmp                 dword ptr [ecx + 0xa0], 0
            //   7466                 | je                  0x68
            //   50                   | push                eax

    condition:
        7 of them and filesize < 165888
}
Download all Yara Rules