> Family · coinminer_

~/packetpursuit $ cat /intel/families/coinminer.md

typeentityconfidencemediumcreated2026-05-26updated2026-06-08malware-familycryptominerimpactdefense-evasionpe

coinminer

Overview

Broad family label applied to commodity cryptocurrency-mining malware. Encompasses stand-alone miners (XMRig, NBMiner), miner-as-a-service downloaders, and droppers that stage mining payloads via legitimate-looking installers. Typically delivered by stealers (e.g., AcrStealer) or bundled with cracked software and game cheats. First-seen in this wiki: 2026-05-26.

Build-stack typically observed

  • Miners: GCC/MinGW (CryptoNight), MSVC (XMRig MSVC builds), Go (some pool-proxy wrappers), .NET (downloader stubs)
  • Droppers: 7-Zip SFX Constructor, Inno Setup, NSIS, or custom PE droppers with embedded 7z/RAR archives
  • Obfuscation: Password-protected 7z archives (AES-256), UPX on miner binaries, string encryption in pool URLs
  • Signing: Some droppers carry valid or expired Authenticode signatures cloned from redistributables or open-source tools ^[/intel/analyses/c4ac74268abff27a68f363c4d64cdbb4f743ce5b3dcb1551bf83f4d974ec2326.html]

Deploy / TTPs typically observed

  • 7-Zip SFX silent extraction (T1059.003 / T1218.011)
  • batch script execution (T1059.003)
  • temp-directory payload staging (T1074.001)
  • job object process constraint (T1106)
  • Registry Run keys or scheduled tasks for persistence
  • Driver abuse (WinRing0x64.sys) for kernel-level hardware access on some variants
  • Exfil via mining pool Stratum/TCP on port 3333/4444/45700

Variants / aliases

  • XMRig CoinMiner (OpenCTI: de9bacb4-8101-4307-933c-cb0778b42f8c)
  • CoinMiner/Win.Agent.R631683
  • CoinMiner/Win.Zephyr.C5575600

Capabilities

  • 7z-sfx-silent-extraction
  • password-protected-archive-deployment
  • batch-script-payload-launcher
  • temp-directory-payload-staging
  • job-object-process-lifecycle
  • authenticode-signature-clone
  • self-deletion-post-extraction
  • stratum-pool-communication
  • pyinstaller-bootloader-extraction
  • python-packed-coinminer-payload
  • aes-encrypted-overlay-pyinstaller-key
  • qwerty-derived-weak-key

Notable analyses

  • /intel/analyses/c4ac74268abff27a68f363c4d64cdbb4f743ce5b3dcb1551bf83f4d974ec2326.html — Signed 7-Zip SFX dropper masquerading as VC++ redistributable, password-protected payload
  • /intel/analyses/801fbba19b4d4828191e87e7311480deaf81e84482dab70adf38d61afd01c1fa.html — PyInstaller single-file bootloader (MSVC 2015, Sep 2018) with embedded Python coinminer payload in zlib-compressed overlay
  • /intel/analyses/39b67a790b89fc8170703baaa98b29e1453a63416f0320bb3ae0f2936306f184.html — PyInstaller bootloader sibling, 4.3 MB with 94% zlib overlay, identical build fingerprint to 801fbba1
  • /intel/analyses/5047235c1d599c8a4e39a073c8c71e6ac6579da3f03606f51cae9b17fe971858.html — Third sibling (1.75 MB) with appended secondary PE at offset 0x173c00, 1.8 MB overlay
  • /intel/analyses/640ed5b536824541112a8b54488353d2938b4d0368a3ed14d41efff1d841c346.html — Fourth sibling (735 KB), same Sep 2018 build fingerprint
  • /intel/analyses/359fcf01a54b89eabcbfcecd734e2af60b6bfa19ffd7fcdd87b1e4ed15db599c.html — Fifth sibling (4.35 MB), AES-encrypted overlay with weak QWERTY-derived key 1qazxsw23edcvfrN, build path F:\files\ftp\crack\exe\build\ftpcrack\
  • /intel/analyses/b4cc27e365f44dd18593d7ca2b4a2d9df95268079beff47940f48cce21bfc979.html — Sixth sibling (630 KB, smallest in cluster), Python 2.7 runtime (python27.dll, libgcc_s_dw2-1.dll), same Sep 2018 build fingerprint, 60.5% zlib overlay.

Related entities/concepts

  • unclassified-dropper