SYMBOLCOMMON_NAMEaka. SYNONYMS
win.victorygate (Back to overview)

VictoryGate

VTCollection    

VictoryGate was the name of a cryptomining botnet, which was disrupted by ESET researchers in April 2020. The used malware itself was also referred to as VictoryGate. It was spotted in May 2019 and targeted mainly Latin American users, specifically, Peru (Criptonizando states 90% of the botnet publication residing there). Both public and private sectors were targeted.
This cryptojacking malware was specialized in Monero (XRM) cryptocurrency. VictoryGate shows very strong code overlap with win.orchard.

References
2021-02-22AdvIntelBeatriz Pimenta Klein
Economic Growth, Digital Inclusion, & Specialized Crime: Financial Cyber Fraud in LATAM
BRATA Mekotio Metamorfo Ploutus ATM VictoryGate
2020-04-26CriptonizandoCriptonizando
35 mil computadores foram infectados na América Latina por malware que minerava Monero
VictoryGate
2020-04-23ESET ResearchAlan Warburton
Following ESET’s discovery, a Monero mining botnet is disrupted
VictoryGate
2020-04-23ESET ResearchEset
ESET researchers disrupt cryptomining botnet VictoryGate
VictoryGate
Yara Rules
[TLP:WHITE] win_victorygate_auto (20260504 | Detects win.victorygate.)
rule win_victorygate_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.victorygate."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.victorygate"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f84aeba0000 83ec08 0fae5c2404 8b442404 25807f0000 3d801f0000 750f }
            // n = 7, score = 100
            //   0f84aeba0000         | je                  0xbab4
            //   83ec08               | sub                 esp, 8
            //   0fae5c2404           | stmxcsr             dword ptr [esp + 4]
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   25807f0000           | and                 eax, 0x7f80
            //   3d801f0000           | cmp                 eax, 0x1f80
            //   750f                 | jne                 0x11

        $sequence_1 = { 8b85d8f6ffff 0fb704857c1a4600 8d048578114600 50 8d85f0f6ffff 03c7 50 }
            // n = 7, score = 100
            //   8b85d8f6ffff         | mov                 eax, dword ptr [ebp - 0x928]
            //   0fb704857c1a4600     | movzx               eax, word ptr [eax*4 + 0x461a7c]
            //   8d048578114600       | lea                 eax, [eax*4 + 0x461178]
            //   50                   | push                eax
            //   8d85f0f6ffff         | lea                 eax, [ebp - 0x910]
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax

        $sequence_2 = { 57 ff75ec c745fc00000000 ff7108 837de410 ff75e0 0f4345d0 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   ff7108               | push                dword ptr [ecx + 8]
            //   837de410             | cmp                 dword ptr [ebp - 0x1c], 0x10
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   0f4345d0             | cmovae              eax, dword ptr [ebp - 0x30]

        $sequence_3 = { 83c404 8d0481 894df8 8955fc 8945e8 3bc8 7427 }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   8d0481               | lea                 eax, [ecx + eax*4]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   3bc8                 | cmp                 ecx, eax
            //   7427                 | je                  0x29

        $sequence_4 = { 69c993010001 33c8 0fb6450f 69c993010001 33c8 69c993010001 8bc1 }
            // n = 7, score = 100
            //   69c993010001         | imul                ecx, ecx, 0x1000193
            //   33c8                 | xor                 ecx, eax
            //   0fb6450f             | movzx               eax, byte ptr [ebp + 0xf]
            //   69c993010001         | imul                ecx, ecx, 0x1000193
            //   33c8                 | xor                 ecx, eax
            //   69c993010001         | imul                ecx, ecx, 0x1000193
            //   8bc1                 | mov                 eax, ecx

        $sequence_5 = { 6a34 8bf1 e8???????? 83c404 85c0 7418 ff750c }
            // n = 7, score = 100
            //   6a34                 | push                0x34
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7418                 | je                  0x1a
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_6 = { 0f8733110000 52 51 e8???????? 83c408 ff15???????? 8986a8000000 }
            // n = 7, score = 100
            //   0f8733110000         | ja                  0x1139
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   ff15????????         |                     
            //   8986a8000000         | mov                 dword ptr [esi + 0xa8], eax

        $sequence_7 = { 85f6 0f845f030000 837b3801 8d4308 8d533c 0f45d0 83ec18 }
            // n = 7, score = 100
            //   85f6                 | test                esi, esi
            //   0f845f030000         | je                  0x365
            //   837b3801             | cmp                 dword ptr [ebx + 0x38], 1
            //   8d4308               | lea                 eax, [ebx + 8]
            //   8d533c               | lea                 edx, [ebx + 0x3c]
            //   0f45d0               | cmovne              edx, eax
            //   83ec18               | sub                 esp, 0x18

        $sequence_8 = { e8???????? 0fb64db8 8bf8 8b45c0 8a17 880f 8b770c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0fb64db8             | movzx               ecx, byte ptr [ebp - 0x48]
            //   8bf8                 | mov                 edi, eax
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   8a17                 | mov                 dl, byte ptr [edi]
            //   880f                 | mov                 byte ptr [edi], cl
            //   8b770c               | mov                 esi, dword ptr [edi + 0xc]

        $sequence_9 = { c745fc05000000 8d4d10 ff7508 e8???????? 8b4df4 8bc7 5f }
            // n = 7, score = 100
            //   c745fc05000000       | mov                 dword ptr [ebp - 4], 5
            //   8d4d10               | lea                 ecx, [ebp + 0x10]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 1209344
}
Download all Yara Rules