Adversaries are likely deploying Coinminer malware using known IOCs to mine cryptocurrency undetected on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate cryptocurrency mining activity before it causes significant resource depletion or financial loss.
IOC Summary
Malware Family: Coinminer Total IOCs: 6 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 20a1484577dc0b66613cc70619a74dfcaa7da6c19d0a4949cbc83a8e80317fd9 | payload | 2026-06-11 | 95% |
| sha1_hash | 213cd9fcf2377c5b72e02e4490863dc535bbe871 | payload | 2026-06-11 | 95% |
| md5_hash | b82f0b9989f316d6679e1ea067e31cdd | payload | 2026-06-11 | 95% |
| sha1_hash | 059182cc6f9d9a6ae2aced1075e5ab3f4e081d55 | payload | 2026-06-11 | 95% |
| md5_hash | 1f8b721815bfd4f57aa377369fa5f2ed | payload | 2026-06-11 | 95% |
| sha256_hash | f0ff7f1e0e1544828984d40247d38e38cb4b5d528665098c058e41b24db1d56f | payload | 2026-06-11 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Coinminer
let malicious_hashes = dynamic(["20a1484577dc0b66613cc70619a74dfcaa7da6c19d0a4949cbc83a8e80317fd9", "213cd9fcf2377c5b72e02e4490863dc535bbe871", "b82f0b9989f316d6679e1ea067e31cdd", "059182cc6f9d9a6ae2aced1075e5ab3f4e081d55", "1f8b721815bfd4f57aa377369fa5f2ed", "f0ff7f1e0e1544828984d40247d38e38cb4b5d528665098c058e41b24db1d56f"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Backup Job Using Coinminer-Related Tools
Description: A scheduled backup job uses a tool like rsync or robocopy with a script that coincidentally matches a Coinminer IOC pattern.
Filter/Exclusion: Exclude processes initiated by the system backup service (e.g., cron or task scheduler with known backup job names).
Scenario: Admin Task Involving File Copying with Coinminer-Related File Names
Description: An administrator copies files using a script that includes a filename matching a Coinminer IOC (e.g., minerd.exe or xmrig).
Filter/Exclusion: Exclude processes initiated by admin users with elevated privileges and associated with known administrative tasks (e.g., admin or root user, or processes with sudo in the command line).
Scenario: Legitimate Log Monitoring Tool Using Coinminer-Related Commands
Description: A log monitoring tool like logrotate or splunk uses a command that includes a Coinminer IOC (e.g., minerd or cpuminer).
Filter/Exclusion: Exclude processes associated with log management tools or known monitoring services (e.g., logrotate, splunk, or syslog-ng).
Scenario: Scheduled Job for Mining Pool Configuration Updates
Description: A scheduled job updates mining pool configurations using a script that includes a Coinminer IOC (e.g., stratum or mining.conf).
Filter/Exclusion: Exclude processes initiated by a known configuration management tool (e.g., Ansible, Chef, or Puppet) or those associated with scheduled job names like update_mining_config.
Scenario: Legitimate Use of Coinminer Tools for Internal Benchmarking
Description: A