SYMBOLCOMMON_NAMEaka. SYNONYMS
win.monero_miner (Back to overview)

Monero Miner

aka: CoinMiner
VTCollection    

There is no description at this point.

References
2022-09-06AT&TOfer Caspi
Shikitega - New stealthy malware targeting Linux
BotenaGo EnemyBot Meterpreter Monero Miner
2022-08-08AhnLabASEC Analysis Team
Monero CoinMiner Being Distributed via Webhards
Monero Miner
2021-10-24SophosSean Gallagher
Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor
DanaBot Monero Miner
2021-01-18The DFIR ReportThe DFIR Report
All That for a Coinminer?
Coinminer Monero Miner
2017-09-28ESET ResearchMichal Poslušný, Peter Kálnai
Money‑making machine: Monero‑mining malware
Monero Miner
Yara Rules
[TLP:WHITE] win_monero_miner_auto (20230808 | Detects win.monero_miner.)
rule win_monero_miner_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.monero_miner."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb65508 034d04 035d00 01d0 e9???????? 0fb77508 034d04 }
            // n = 7, score = 100
            //   0fb65508             | movzx               edx, byte ptr [ebp + 8]
            //   034d04               | add                 ecx, dword ptr [ebp + 4]
            //   035d00               | add                 ebx, dword ptr [ebp]
            //   01d0                 | add                 eax, edx
            //   e9????????           |                     
            //   0fb77508             | movzx               esi, word ptr [ebp + 8]
            //   034d04               | add                 ecx, dword ptr [ebp + 4]

        $sequence_1 = { 8b842490000000 895f40 338424ac000000 8b9c2444010000 31cd 8b8c2440010000 31de }
            // n = 7, score = 100
            //   8b842490000000       | mov                 eax, dword ptr [esp + 0x90]
            //   895f40               | mov                 dword ptr [edi + 0x40], ebx
            //   338424ac000000       | xor                 eax, dword ptr [esp + 0xac]
            //   8b9c2444010000       | mov                 ebx, dword ptr [esp + 0x144]
            //   31cd                 | xor                 ebp, ecx
            //   8b8c2440010000       | mov                 ecx, dword ptr [esp + 0x140]
            //   31de                 | xor                 esi, ebx

        $sequence_2 = { 8b442460 31f5 8bb42488000000 03742460 896c2438 89c5 897c243c }
            // n = 7, score = 100
            //   8b442460             | mov                 eax, dword ptr [esp + 0x60]
            //   31f5                 | xor                 ebp, esi
            //   8bb42488000000       | mov                 esi, dword ptr [esp + 0x88]
            //   03742460             | add                 esi, dword ptr [esp + 0x60]
            //   896c2438             | mov                 dword ptr [esp + 0x38], ebp
            //   89c5                 | mov                 ebp, eax
            //   897c243c             | mov                 dword ptr [esp + 0x3c], edi

        $sequence_3 = { 8b4c2424 c7042400000000 89442404 8b442420 e8???????? 85c0 89c3 }
            // n = 7, score = 100
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   89c3                 | mov                 ebx, eax

        $sequence_4 = { 8b54245c 09ce 89b424f0010000 897738 89ac24f4010000 896f3c 0fa4c204 }
            // n = 7, score = 100
            //   8b54245c             | mov                 edx, dword ptr [esp + 0x5c]
            //   09ce                 | or                  esi, ecx
            //   89b424f0010000       | mov                 dword ptr [esp + 0x1f0], esi
            //   897738               | mov                 dword ptr [edi + 0x38], esi
            //   89ac24f4010000       | mov                 dword ptr [esp + 0x1f4], ebp
            //   896f3c               | mov                 dword ptr [edi + 0x3c], ebp
            //   0fa4c204             | shld                edx, eax, 4

        $sequence_5 = { 8d4c2427 89742414 895c240c 897c2408 c744240400000000 83e1f0 8b7de0 }
            // n = 7, score = 100
            //   8d4c2427             | lea                 ecx, [esp + 0x27]
            //   89742414             | mov                 dword ptr [esp + 0x14], esi
            //   895c240c             | mov                 dword ptr [esp + 0xc], ebx
            //   897c2408             | mov                 dword ptr [esp + 8], edi
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   83e1f0               | and                 ecx, 0xfffffff0
            //   8b7de0               | mov                 edi, dword ptr [ebp - 0x20]

        $sequence_6 = { 89bc24c0010000 89ac24c4010000 8bac24c8040000 036c2420 8b742460 8bbc24cc040000 137c2424 }
            // n = 7, score = 100
            //   89bc24c0010000       | mov                 dword ptr [esp + 0x1c0], edi
            //   89ac24c4010000       | mov                 dword ptr [esp + 0x1c4], ebp
            //   8bac24c8040000       | mov                 ebp, dword ptr [esp + 0x4c8]
            //   036c2420             | add                 ebp, dword ptr [esp + 0x20]
            //   8b742460             | mov                 esi, dword ptr [esp + 0x60]
            //   8bbc24cc040000       | mov                 edi, dword ptr [esp + 0x4cc]
            //   137c2424             | adc                 edi, dword ptr [esp + 0x24]

        $sequence_7 = { c744240423000000 8b85c0040000 890424 e8???????? 85c0 7403 c60000 }
            // n = 7, score = 100
            //   c744240423000000     | mov                 dword ptr [esp + 4], 0x23
            //   8b85c0040000         | mov                 eax, dword ptr [ebp + 0x4c0]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   c60000               | mov                 byte ptr [eax], 0

        $sequence_8 = { e8???????? 8d4b50 8d5705 c7435c00000000 c7435800000000 c7435400000000 895350 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d4b50               | lea                 ecx, [ebx + 0x50]
            //   8d5705               | lea                 edx, [edi + 5]
            //   c7435c00000000       | mov                 dword ptr [ebx + 0x5c], 0
            //   c7435800000000       | mov                 dword ptr [ebx + 0x58], 0
            //   c7435400000000       | mov                 dword ptr [ebx + 0x54], 0
            //   895350               | mov                 dword ptr [ebx + 0x50], edx

        $sequence_9 = { 8b8424b0010000 899424c4010000 8b9424b4010000 89ac24c0010000 01c1 89c5 11d3 }
            // n = 7, score = 100
            //   8b8424b0010000       | mov                 eax, dword ptr [esp + 0x1b0]
            //   899424c4010000       | mov                 dword ptr [esp + 0x1c4], edx
            //   8b9424b4010000       | mov                 edx, dword ptr [esp + 0x1b4]
            //   89ac24c0010000       | mov                 dword ptr [esp + 0x1c0], ebp
            //   01c1                 | add                 ecx, eax
            //   89c5                 | mov                 ebp, eax
            //   11d3                 | adc                 ebx, edx

    condition:
        7 of them and filesize < 1425408
}
Download all Yara Rules