Home / malwarePDF  


First posted on 14 August 2018.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win64/CoinMiner.

Explanation :

This threat is a 64-bit executable that has been observed going by the name:



It registers itself as a Windows service by creating an entry in this registry key:

HKLM\System\CurrentControlSet\Services\Windows Driver Service

It creates a copy of itself as:


The dropped copy creates this 1.5 MB 64-bit DLL:

dll.dll (file name)

1d596d441e5046c87f2797e47aaa1b6e1ac0eabb63e119f7ffb32695c20c952b (SHA-256)


The DLL file contains configuration information that determines how this threat mines Monero (XMR) coins. It connects to the following:

  • Pool address: monerohash.com:80
  • Wallet: 4AMwzz1TtGgdyouAzZH1HRRkQiT4eDzGLcQjLgSWbZMA6Zhs2e8fALTfm5osmGNragMTv5VFyTCsuc3WZECg3hEyD6sL9py

The DLL file also includes these CPU usage instructions:

"low_power_mode" : false

"use_slow_memory" : "warn",

"Nicehash_nonce" : false,

"aes_override" : null

The analysis provided here is based on the following sample:

fcf64fc09fae0b0e1c01945176fce222be216844ede0e477b4053c9456ff023e (SHA-256)

Last update 14 August 2018