SYMBOLCOMMON_NAMEaka. SYNONYMS
win.monero_miner (Back to overview)

Monero Miner

aka: CoinMiner

There is no description at this point.

References
2022-09-06AT&TOfer Caspi
@online{caspi:20220906:shikitega:bee20db, author = {Ofer Caspi}, title = {{Shikitega - New stealthy malware targeting Linux}}, date = {2022-09-06}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux}, language = {English}, urldate = {2023-01-19} } Shikitega - New stealthy malware targeting Linux
BotenaGo EnemyBot Meterpreter Monero Miner
2022-08-08AhnLabASEC Analysis Team
@online{team:20220808:monero:368d22b, author = {ASEC Analysis Team}, title = {{Monero CoinMiner Being Distributed via Webhards}}, date = {2022-08-08}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/37526/}, language = {English}, urldate = {2023-01-19} } Monero CoinMiner Being Distributed via Webhards
Monero Miner
2021-10-24SophosSean Gallagher
@online{gallagher:20211024:node:3619389, author = {Sean Gallagher}, title = {{Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor}}, date = {2021-10-24}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor}, language = {English}, urldate = {2021-11-02} } Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor
DanaBot Monero Miner
2021-01-18The DFIR ReportThe DFIR Report
@online{report:20210118:all:daed9a4, author = {The DFIR Report}, title = {{All That for a Coinminer?}}, date = {2021-01-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/}, language = {English}, urldate = {2021-01-21} } All That for a Coinminer?
Coinminer Monero Miner
2017-09-28ESET ResearchPeter Kálnai, Michal Poslušný
@online{klnai:20170928:moneymaking:ac6e685, author = {Peter Kálnai and Michal Poslušný}, title = {{Money‑making machine: Monero‑mining malware}}, date = {2017-09-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/}, language = {English}, urldate = {2019-11-14} } Money‑making machine: Monero‑mining malware
Monero Miner
Yara Rules
[TLP:WHITE] win_monero_miner_auto (20230715 | Detects win.monero_miner.)
rule win_monero_miner_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.monero_miner."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 894c2440 8b4c2440 895c2444 89c3 89d0 8b542444 8b6c2444 }
            // n = 7, score = 100
            //   894c2440             | mov                 dword ptr [esp + 0x40], ecx
            //   8b4c2440             | mov                 ecx, dword ptr [esp + 0x40]
            //   895c2444             | mov                 dword ptr [esp + 0x44], ebx
            //   89c3                 | mov                 ebx, eax
            //   89d0                 | mov                 eax, edx
            //   8b542444             | mov                 edx, dword ptr [esp + 0x44]
            //   8b6c2444             | mov                 ebp, dword ptr [esp + 0x44]

        $sequence_1 = { 8b542434 896c2420 01c1 89c5 11d3 0facd018 0facea18 }
            // n = 7, score = 100
            //   8b542434             | mov                 edx, dword ptr [esp + 0x34]
            //   896c2420             | mov                 dword ptr [esp + 0x20], ebp
            //   01c1                 | add                 ecx, eax
            //   89c5                 | mov                 ebp, eax
            //   11d3                 | adc                 ebx, edx
            //   0facd018             | shrd                eax, edx, 0x18
            //   0facea18             | shrd                edx, ebp, 0x18

        $sequence_2 = { 89442410 8b4638 c744240804000000 895c2404 8944240c 8b07 890424 }
            // n = 7, score = 100
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   8b4638               | mov                 eax, dword ptr [esi + 0x38]
            //   c744240804000000     | mov                 dword ptr [esp + 8], 4
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_3 = { 85d1 0f95c2 0fb6d2 89d0 83c802 85f1 0f45d0 }
            // n = 7, score = 100
            //   85d1                 | test                ecx, edx
            //   0f95c2               | setne               dl
            //   0fb6d2               | movzx               edx, dl
            //   89d0                 | mov                 eax, edx
            //   83c802               | or                  eax, 2
            //   85f1                 | test                ecx, esi
            //   0f45d0               | cmovne              edx, eax

        $sequence_4 = { e9???????? a1???????? 85c0 740c 83e801 85c0 a3???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   740c                 | je                  0xe
            //   83e801               | sub                 eax, 1
            //   85c0                 | test                eax, eax
            //   a3????????           |                     

        $sequence_5 = { 8b7d24 89b424f0030000 8b7520 894c2440 898c24d8030000 89542444 899424dc030000 }
            // n = 7, score = 100
            //   8b7d24               | mov                 edi, dword ptr [ebp + 0x24]
            //   89b424f0030000       | mov                 dword ptr [esp + 0x3f0], esi
            //   8b7520               | mov                 esi, dword ptr [ebp + 0x20]
            //   894c2440             | mov                 dword ptr [esp + 0x40], ecx
            //   898c24d8030000       | mov                 dword ptr [esp + 0x3d8], ecx
            //   89542444             | mov                 dword ptr [esp + 0x44], edx
            //   899424dc030000       | mov                 dword ptr [esp + 0x3dc], edx

        $sequence_6 = { 8b8424b0000000 89c5 0fa4d01f 0fa4ea1f 89cd 31c5 31da }
            // n = 7, score = 100
            //   8b8424b0000000       | mov                 eax, dword ptr [esp + 0xb0]
            //   89c5                 | mov                 ebp, eax
            //   0fa4d01f             | shld                eax, edx, 0x1f
            //   0fa4ea1f             | shld                edx, ebp, 0x1f
            //   89cd                 | mov                 ebp, ecx
            //   31c5                 | xor                 ebp, eax
            //   31da                 | xor                 edx, ebx

        $sequence_7 = { 89542408 89442404 892c24 e8???????? 891c24 e8???????? 85c0 }
            // n = 7, score = 100
            //   89542408             | mov                 dword ptr [esp + 8], edx
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   892c24               | mov                 dword ptr [esp], ebp
            //   e8????????           |                     
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_8 = { e9???????? 8b442428 894238 31c0 e9???????? 8b442428 8982e4000000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   894238               | mov                 dword ptr [edx + 0x38], eax
            //   31c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   8982e4000000         | mov                 dword ptr [edx + 0xe4], eax

        $sequence_9 = { 89c2 c1e506 83e23f 01ea 0fb6440f01 83c101 }
            // n = 6, score = 100
            //   89c2                 | mov                 edx, eax
            //   c1e506               | shl                 ebp, 6
            //   83e23f               | and                 edx, 0x3f
            //   01ea                 | add                 edx, ebp
            //   0fb6440f01           | movzx               eax, byte ptr [edi + ecx + 1]
            //   83c101               | add                 ecx, 1

    condition:
        7 of them and filesize < 1425408
}
Download all Yara Rules