Kingminer (Malware Family)

Kingminer

VTCollection

According to Sophis, the botnet has been active since 2018, initially, the botmasters operated DDoS tools and backdoors, but later moved on to cryptocurrency miners. They use a DGA to automatically change the hosting
domains every week.

References

2022-05-18 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama
Uncovering a Kingminer Botnet Attack Using Trend Micro™ Managed XDR
Kingminer

2022-03-16 ⋅ AhnLab ⋅ ASEC Analysis Team
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers
Ghost RAT Kingminer

2022-02-22 ⋅ Bleeping Computer ⋅ Bill Toulas
Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck

2020-07-08 ⋅ Bitdefender ⋅ Bogdan Botezatu, Janos Gergo Szeles
Kingminer –a Crypto-Jacking Botnet Under the Scope
Kingminer

2020-06-09 ⋅ Sophos Labs ⋅ Gabor Szappanos, Vikas Singh
Kingminer escalates attack complexity for cryptomining
Kingminer

2020-06-01 ⋅ Sophos Labs ⋅ Gabor Szappanos, Vikas Singh
THE INCREASINGLY COMPLEX KINGMINER BOTNET
Kingminer

Yara Rules

[TLP:WHITE] win_kingminer_auto (20260504 | Detects win.kingminer.)

rule win_kingminer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.kingminer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff34c518f20010 ff15???????? 5d c3 6a0c 68???????? }
            // n = 6, score = 100
            //   ff34c518f20010       | push                dword ptr [eax*8 + 0x1000f218]
            //   ff15????????         |                     
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a0c                 | push                0xc
            //   68????????           |                     

        $sequence_1 = { ff15???????? 85c0 7517 8b4924 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7517                 | jne                 0x19
            //   8b4924               | mov                 ecx, dword ptr [ecx + 0x24]

        $sequence_2 = { 51 52 50 8985e0feffff }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   52                   | push                edx
            //   50                   | push                eax
            //   8985e0feffff         | mov                 dword ptr [ebp - 0x120], eax

        $sequence_3 = { b3e8 50 885df6 56 }
            // n = 4, score = 100
            //   b3e8                 | mov                 bl, 0xe8
            //   50                   | push                eax
            //   885df6               | mov                 byte ptr [ebp - 0xa], bl
            //   56                   | push                esi

        $sequence_4 = { e8???????? 68???????? ff15???????? 8b7508 c7465c88d00010 83660800 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   c7465c88d00010       | mov                 dword ptr [esi + 0x5c], 0x1000d088
            //   83660800             | and                 dword ptr [esi + 8], 0

        $sequence_5 = { 8a16 381408 8d3c08 751d }
            // n = 4, score = 100
            //   8a16                 | mov                 dl, byte ptr [esi]
            //   381408               | cmp                 byte ptr [eax + ecx], dl
            //   8d3c08               | lea                 edi, [eax + ecx]
            //   751d                 | jne                 0x1f

        $sequence_6 = { 83791000 7514 8b4f3c 8b17 394a38 740a 33d2 }
            // n = 7, score = 100
            //   83791000             | cmp                 dword ptr [ecx + 0x10], 0
            //   7514                 | jne                 0x16
            //   8b4f3c               | mov                 ecx, dword ptr [edi + 0x3c]
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   394a38               | cmp                 dword ptr [edx + 0x38], ecx
            //   740a                 | je                  0xc
            //   33d2                 | xor                 edx, edx

        $sequence_7 = { 7467 57 6a08 56 8d3c18 e8???????? 8b4e04 }
            // n = 7, score = 100
            //   7467                 | je                  0x69
            //   57                   | push                edi
            //   6a08                 | push                8
            //   56                   | push                esi
            //   8d3c18               | lea                 edi, [eax + ebx]
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]

        $sequence_8 = { 52 6a04 6800100000 50 53 ff95dcfeffff }
            // n = 6, score = 100
            //   52                   | push                edx
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff95dcfeffff         | call                dword ptr [ebp - 0x124]

        $sequence_9 = { 57 ff15???????? 6a00 57 ff15???????? 8bf0 a1???????? }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   a1????????           |                     

    condition:
        7 of them and filesize < 165888
}

Download all Yara Rules

Kingminer Propose Change

References

Yara Rules

Kingminer