Monero Miner (Malware Family)

Monero Miner

aka: CoinMiner

VTCollection

According to ESET, first seen in-the-wild on 26th May, 2017, the malicious mining software is a fork of a legitimate open source Monero CPU miner called xmrig.

References

2022-09-06 ⋅ AT&T ⋅ Ofer Caspi
Shikitega - New stealthy malware targeting Linux
BotenaGo EnemyBot Meterpreter Monero Miner

2022-08-08 ⋅ AhnLab ⋅ ASEC Analysis Team
Monero CoinMiner Being Distributed via Webhards
Monero Miner

2021-10-24 ⋅ Sophos ⋅ Sean Gallagher
Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor
DanaBot Monero Miner

2021-01-18 ⋅ The DFIR Report ⋅ The DFIR Report
All That for a Coinminer?
Coinminer Monero Miner

2017-09-28 ⋅ ESET Research ⋅ Michal Poslušný, Peter Kálnai
Money‑making machine: Monero‑mining malware
Monero Miner

Yara Rules

[TLP:WHITE] win_monero_miner_auto (20260504 | Detects win.monero_miner.)

rule win_monero_miner_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.monero_miner."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bbc2484000000 89f5 01f0 11fa 89442470 0facfe1c 89542474 }
            // n = 7, score = 100
            //   8bbc2484000000       | mov                 edi, dword ptr [esp + 0x84]
            //   89f5                 | mov                 ebp, esi
            //   01f0                 | add                 eax, esi
            //   11fa                 | adc                 edx, edi
            //   89442470             | mov                 dword ptr [esp + 0x70], eax
            //   0facfe1c             | shrd                esi, edi, 0x1c
            //   89542474             | mov                 dword ptr [esp + 0x74], edx

        $sequence_1 = { 8bac2430010000 89b3fc000000 c6835802000001 89742408 c7442404???????? 892c24 e8???????? }
            // n = 7, score = 100
            //   8bac2430010000       | mov                 ebp, dword ptr [esp + 0x130]
            //   89b3fc000000         | mov                 dword ptr [ebx + 0xfc], esi
            //   c6835802000001       | mov                 byte ptr [ebx + 0x258], 1
            //   89742408             | mov                 dword ptr [esp + 8], esi
            //   c7442404????????     |                     
            //   892c24               | mov                 dword ptr [esp], ebp
            //   e8????????           |                     

        $sequence_2 = { 8b5c2414 8b7c2410 83fb00 7708 81ffff010000 767a 8b742410 }
            // n = 7, score = 100
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   83fb00               | cmp                 ebx, 0
            //   7708                 | ja                  0xa
            //   81ffff010000         | cmp                 edi, 0x1ff
            //   767a                 | jbe                 0x7c
            //   8b742410             | mov                 esi, dword ptr [esp + 0x10]

        $sequence_3 = { 8b4b04 894a04 8b4b04 8b730c 8911 8b6b08 8b4b14 }
            // n = 7, score = 100
            //   8b4b04               | mov                 ecx, dword ptr [ebx + 4]
            //   894a04               | mov                 dword ptr [edx + 4], ecx
            //   8b4b04               | mov                 ecx, dword ptr [ebx + 4]
            //   8b730c               | mov                 esi, dword ptr [ebx + 0xc]
            //   8911                 | mov                 dword ptr [ecx], edx
            //   8b6b08               | mov                 ebp, dword ptr [ebx + 8]
            //   8b4b14               | mov                 ecx, dword ptr [ebx + 0x14]

        $sequence_4 = { 137c2424 03442440 89ac2468050000 8b6c247c 136c2444 89b4246c050000 894c2468 }
            // n = 7, score = 100
            //   137c2424             | adc                 edi, dword ptr [esp + 0x24]
            //   03442440             | add                 eax, dword ptr [esp + 0x40]
            //   89ac2468050000       | mov                 dword ptr [esp + 0x568], ebp
            //   8b6c247c             | mov                 ebp, dword ptr [esp + 0x7c]
            //   136c2444             | adc                 ebp, dword ptr [esp + 0x44]
            //   89b4246c050000       | mov                 dword ptr [esp + 0x56c], esi
            //   894c2468             | mov                 dword ptr [esp + 0x68], ecx

        $sequence_5 = { 0fb68532030000 0f95835d020000 888365020000 8b851c040000 85c0 0fb6854c030000 }
            // n = 6, score = 100
            //   0fb68532030000       | movzx               eax, byte ptr [ebp + 0x332]
            //   0f95835d020000       | setne               byte ptr [ebx + 0x25d]
            //   888365020000         | mov                 byte ptr [ebx + 0x265], al
            //   8b851c040000         | mov                 eax, dword ptr [ebp + 0x41c]
            //   85c0                 | test                eax, eax
            //   0fb6854c030000       | movzx               eax, byte ptr [ebp + 0x34c]

        $sequence_6 = { 8bb424b8010000 31d5 894f74 8b8c2430030000 89ac24ac010000 897770 89cb }
            // n = 7, score = 100
            //   8bb424b8010000       | mov                 esi, dword ptr [esp + 0x1b8]
            //   31d5                 | xor                 ebp, edx
            //   894f74               | mov                 dword ptr [edi + 0x74], ecx
            //   8b8c2430030000       | mov                 ecx, dword ptr [esp + 0x330]
            //   89ac24ac010000       | mov                 dword ptr [esp + 0x1ac], ebp
            //   897770               | mov                 dword ptr [edi + 0x70], esi
            //   89cb                 | mov                 ebx, ecx

        $sequence_7 = { 8bac2490000000 23ac24b8010000 89b424cc010000 8bb42494000000 23b424bc010000 31d5 8b542408 }
            // n = 7, score = 100
            //   8bac2490000000       | mov                 ebp, dword ptr [esp + 0x90]
            //   23ac24b8010000       | and                 ebp, dword ptr [esp + 0x1b8]
            //   89b424cc010000       | mov                 dword ptr [esp + 0x1cc], esi
            //   8bb42494000000       | mov                 esi, dword ptr [esp + 0x94]
            //   23b424bc010000       | and                 esi, dword ptr [esp + 0x1bc]
            //   31d5                 | xor                 ebp, edx
            //   8b542408             | mov                 edx, dword ptr [esp + 8]

        $sequence_8 = { f20f2ac9 8974240c f20f2af8 f20f1005???????? f20f106c2438 f20f116c2418 f20f58f4 }
            // n = 7, score = 100
            //   f20f2ac9             | cvtsi2sd            xmm1, ecx
            //   8974240c             | mov                 dword ptr [esp + 0xc], esi
            //   f20f2af8             | cvtsi2sd            xmm7, eax
            //   f20f1005????????     |                     
            //   f20f106c2438         | movsd               xmm5, qword ptr [esp + 0x38]
            //   f20f116c2418         | movsd               qword ptr [esp + 0x18], xmm5
            //   f20f58f4             | addsd               xmm6, xmm4

        $sequence_9 = { f7d0 81f2ffffff7f 09c2 0f8437020000 c7432001000000 e9???????? 0fb64500 }
            // n = 7, score = 100
            //   f7d0                 | not                 eax
            //   81f2ffffff7f         | xor                 edx, 0x7fffffff
            //   09c2                 | or                  edx, eax
            //   0f8437020000         | je                  0x23d
            //   c7432001000000       | mov                 dword ptr [ebx + 0x20], 1
            //   e9????????           |                     
            //   0fb64500             | movzx               eax, byte ptr [ebp]

    condition:
        7 of them and filesize < 1425408
}

Download all Yara Rules

Monero Miner Propose Change

References

Yara Rules

Monero Miner