← Back to Explore
sigmahighTTP
Network Communication With Crypto Mining Pool
Detects initiated network connections to crypto mining pools
Detection Query
selection:
DestinationHostname:
- alimabi.cn
- ap.luckpool.net
- bcn.pool.minergate.com
- bcn.vip.pool.minergate.com
- bohemianpool.com
- ca-aipg.miningocean.org
- ca-dynex.miningocean.org
- ca-neurai.miningocean.org
- ca-qrl.miningocean.org
- ca-upx.miningocean.org
- ca-zephyr.miningocean.org
- ca.minexmr.com
- ca.monero.herominers.com
- cbd.monerpool.org
- cbdv2.monerpool.org
- cryptmonero.com
- crypto-pool.fr
- crypto-pool.info
- cryptonight-hub.miningpoolhub.com
- d1pool.ddns.net
- d5pool.us
- daili01.monerpool.org
- de-aipg.miningocean.org
- de-dynex.miningocean.org
- de-zephyr.miningocean.org
- de.minexmr.com
- dl.nbminer.com
- donate.graef.in
- donate.ssl.xmrig.com
- donate.v2.xmrig.com
- donate.xmrig.com
- donate2.graef.in
- drill.moneroworld.com
- dwarfpool.com
- emercoin.com
- emercoin.net
- emergate.net
- ethereumpool.co
- eu.luckpool.net
- eu.minerpool.pw
- fcn-xmr.pool.minergate.com
- fee.xmrig.com
- fr-aipg.miningocean.org
- fr-dynex.miningocean.org
- fr-neurai.miningocean.org
- fr-qrl.miningocean.org
- fr-upx.miningocean.org
- fr-zephyr.miningocean.org
- fr.minexmr.com
- hellominer.com
- herominers.com
- hk-aipg.miningocean.org
- hk-dynex.miningocean.org
- hk-neurai.miningocean.org
- hk-qrl.miningocean.org
- hk-upx.miningocean.org
- hk-zephyr.miningocean.org
- huadong1-aeon.ppxxmr.com
- iwanttoearn.money
- jw-js1.ppxxmr.com
- koto-pool.work
- lhr.nbminer.com
- lhr3.nbminer.com
- linux.monerpool.org
- lokiturtle.herominers.com
- luckpool.net
- masari.miner.rocks
- mine.c3pool.com
- mine.moneropool.com
- mine.ppxxmr.com
- mine.zpool.ca
- mine1.ppxxmr.com
- minemonero.gq
- miner.ppxxmr.com
- miner.rocks
- minercircle.com
- minergate.com
- minerpool.pw
- minerrocks.com
- miners.pro
- minerxmr.ru
- minexmr.cn
- minexmr.com
- mining-help.ru
- miningpoolhub.com
- mixpools.org
- moner.monerpool.org
- moner1min.monerpool.org
- monero-master.crypto-pool.fr
- monero.crypto-pool.fr
- monero.hashvault.pro
- monero.herominers.com
- monero.lindon-pool.win
- monero.miners.pro
- monero.riefly.id
- monero.us.to
- monerocean.stream
- monerogb.com
- monerohash.com
- moneroocean.stream
- moneropool.com
- moneropool.nl
- monerorx.com
- monerpool.org
- moriaxmr.com
- mro.pool.minergate.com
- multipool.us
- myxmr.pw
- na.luckpool.net
- nanopool.org
- nbminer.com
- node3.luckpool.net
- noobxmr.com
- pangolinminer.comgandalph3000.com
- pool.4i7i.com
- pool.armornetwork.org
- pool.cortins.tk
- pool.gntl.co.uk
- pool.hashvault.pro
- pool.minergate.com
- pool.minexmr.com
- pool.monero.hashvault.pro
- pool.ppxxmr.com
- pool.somec.cc
- pool.support
- pool.supportxmr.com
- pool.usa-138.com
- pool.xmr.pt
- pool.xmrfast.com
- pool2.armornetwork.org
- poolchange.ppxxmr.com
- pooldd.com
- poolmining.org
- poolto.be
- ppxvip1.ppxxmr.com
- ppxxmr.com
- prohash.net
- r.twotouchauthentication.online
- randomx.xmrig.com
- ratchetmining.com
- seed.emercoin.com
- seed.emercoin.net
- seed.emergate.net
- seed1.joulecoin.org
- seed2.joulecoin.org
- seed3.joulecoin.org
- seed4.joulecoin.org
- seed5.joulecoin.org
- seed6.joulecoin.org
- seed7.joulecoin.org
- seed8.joulecoin.org
- sg-aipg.miningocean.org
- sg-dynex.miningocean.org
- sg-neurai.miningocean.org
- sg-qrl.miningocean.org
- sg-upx.miningocean.org
- sg-zephyr.miningocean.org
- sg.minexmr.com
- sheepman.mine.bz
- siamining.com
- sumokoin.minerrocks.com
- supportxmr.com
- suprnova.cc
- teracycle.net
- trtl.cnpool.cc
- trtl.pool.mine2gether.com
- turtle.miner.rocks
- us-aipg.miningocean.org
- us-dynex.miningocean.org
- us-neurai.miningocean.org
- us-west.minexmr.com
- us-zephyr.miningocean.org
- usxmrpool.com
- viaxmr.com
- webservicepag.webhop.net
- xiazai.monerpool.org
- xiazai1.monerpool.org
- xmc.pool.minergate.com
- xmo.pool.minergate.com
- xmr-asia1.nanopool.org
- xmr-au1.nanopool.org
- xmr-eu1.nanopool.org
- xmr-eu2.nanopool.org
- xmr-jp1.nanopool.org
- xmr-us-east1.nanopool.org
- xmr-us-west1.nanopool.org
- xmr-us.suprnova.cc
- xmr-usa.dwarfpool.com
- xmr.2miners.com
- xmr.5b6b7b.ru
- xmr.alimabi.cn
- xmr.bohemianpool.com
- xmr.crypto-pool.fr
- xmr.crypto-pool.info
- xmr.f2pool.com
- xmr.hashcity.org
- xmr.hex7e4.ru
- xmr.ip28.net
- xmr.monerpool.org
- xmr.mypool.online
- xmr.nanopool.org
- xmr.pool.gntl.co.uk
- xmr.pool.minergate.com
- xmr.poolto.be
- xmr.ppxxmr.com
- xmr.prohash.net
- xmr.simka.pw
- xmr.somec.cc
- xmr.suprnova.cc
- xmr.usa-138.com
- xmr.vip.pool.minergate.com
- xmr1min.monerpool.org
- xmrf.520fjh.org
- xmrf.fjhan.club
- xmrfast.com
- xmrigcc.graef.in
- xmrminer.cc
- xmrpool.de
- xmrpool.eu
- xmrpool.me
- xmrpool.net
- xmrpool.xyz
- xx11m.monerpool.org
- xx11mv2.monerpool.org
- xxx.hex7e4.ru
- zarabotaibitok.ru
- zer0day.ru
condition: selection
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2021-10-26
Data Sources
windowsNetwork Connection Events
Platforms
windows
References
Tags
attack.impactattack.t1496
Raw Content
title: Network Communication With Crypto Mining Pool
id: fa5b1358-b040-4403-9868-15f7d9ab6329
status: stable
description: Detects initiated network connections to crypto mining pools
references:
- https://www.poolwatch.io/coin/monero
- https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt
- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-26
modified: 2024-01-19
tags:
- attack.impact
- attack.t1496
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname:
- 'alimabi.cn'
- 'ap.luckpool.net'
- 'bcn.pool.minergate.com'
- 'bcn.vip.pool.minergate.com'
- 'bohemianpool.com'
- 'ca-aipg.miningocean.org'
- 'ca-dynex.miningocean.org'
- 'ca-neurai.miningocean.org'
- 'ca-qrl.miningocean.org'
- 'ca-upx.miningocean.org'
- 'ca-zephyr.miningocean.org'
- 'ca.minexmr.com'
- 'ca.monero.herominers.com'
- 'cbd.monerpool.org'
- 'cbdv2.monerpool.org'
- 'cryptmonero.com'
- 'crypto-pool.fr'
- 'crypto-pool.info'
- 'cryptonight-hub.miningpoolhub.com'
- 'd1pool.ddns.net'
- 'd5pool.us'
- 'daili01.monerpool.org'
- 'de-aipg.miningocean.org'
- 'de-dynex.miningocean.org'
- 'de-zephyr.miningocean.org'
- 'de.minexmr.com'
- 'dl.nbminer.com'
- 'donate.graef.in'
- 'donate.ssl.xmrig.com'
- 'donate.v2.xmrig.com'
- 'donate.xmrig.com'
- 'donate2.graef.in'
- 'drill.moneroworld.com'
- 'dwarfpool.com'
- 'emercoin.com'
- 'emercoin.net'
- 'emergate.net'
- 'ethereumpool.co'
- 'eu.luckpool.net'
- 'eu.minerpool.pw'
- 'fcn-xmr.pool.minergate.com'
- 'fee.xmrig.com'
- 'fr-aipg.miningocean.org'
- 'fr-dynex.miningocean.org'
- 'fr-neurai.miningocean.org'
- 'fr-qrl.miningocean.org'
- 'fr-upx.miningocean.org'
- 'fr-zephyr.miningocean.org'
- 'fr.minexmr.com'
- 'hellominer.com'
- 'herominers.com'
- 'hk-aipg.miningocean.org'
- 'hk-dynex.miningocean.org'
- 'hk-neurai.miningocean.org'
- 'hk-qrl.miningocean.org'
- 'hk-upx.miningocean.org'
- 'hk-zephyr.miningocean.org'
- 'huadong1-aeon.ppxxmr.com'
- 'iwanttoearn.money'
- 'jw-js1.ppxxmr.com'
- 'koto-pool.work'
- 'lhr.nbminer.com'
- 'lhr3.nbminer.com'
- 'linux.monerpool.org'
- 'lokiturtle.herominers.com'
- 'luckpool.net'
- 'masari.miner.rocks'
- 'mine.c3pool.com'
- 'mine.moneropool.com'
- 'mine.ppxxmr.com'
- 'mine.zpool.ca'
- 'mine1.ppxxmr.com'
- 'minemonero.gq'
- 'miner.ppxxmr.com'
- 'miner.rocks'
- 'minercircle.com'
- 'minergate.com'
- 'minerpool.pw'
- 'minerrocks.com'
- 'miners.pro'
- 'minerxmr.ru'
- 'minexmr.cn'
- 'minexmr.com'
- 'mining-help.ru'
- 'miningpoolhub.com'
- 'mixpools.org'
- 'moner.monerpool.org'
- 'moner1min.monerpool.org'
- 'monero-master.crypto-pool.fr'
- 'monero.crypto-pool.fr'
- 'monero.hashvault.pro'
- 'monero.herominers.com'
- 'monero.lindon-pool.win'
- 'monero.miners.pro'
- 'monero.riefly.id'
- 'monero.us.to'
- 'monerocean.stream'
- 'monerogb.com'
- 'monerohash.com'
- 'moneroocean.stream'
- 'moneropool.com'
- 'moneropool.nl'
- 'monerorx.com'
- 'monerpool.org'
- 'moriaxmr.com'
- 'mro.pool.minergate.com'
- 'multipool.us'
- 'myxmr.pw'
- 'na.luckpool.net'
- 'nanopool.org'
- 'nbminer.com'
- 'node3.luckpool.net'
- 'noobxmr.com'
- 'pangolinminer.comgandalph3000.com'
- 'pool.4i7i.com'
- 'pool.armornetwork.org'
- 'pool.cortins.tk'
- 'pool.gntl.co.uk'
- 'pool.hashvault.pro'
- 'pool.minergate.com'
- 'pool.minexmr.com'
- 'pool.monero.hashvault.pro'
- 'pool.ppxxmr.com'
- 'pool.somec.cc'
- 'pool.support'
- 'pool.supportxmr.com'
- 'pool.usa-138.com'
- 'pool.xmr.pt'
- 'pool.xmrfast.com'
- 'pool2.armornetwork.org'
- 'poolchange.ppxxmr.com'
- 'pooldd.com'
- 'poolmining.org'
- 'poolto.be'
- 'ppxvip1.ppxxmr.com'
- 'ppxxmr.com'
- 'prohash.net'
- 'r.twotouchauthentication.online'
- 'randomx.xmrig.com'
- 'ratchetmining.com'
- 'seed.emercoin.com'
- 'seed.emercoin.net'
- 'seed.emergate.net'
- 'seed1.joulecoin.org'
- 'seed2.joulecoin.org'
- 'seed3.joulecoin.org'
- 'seed4.joulecoin.org'
- 'seed5.joulecoin.org'
- 'seed6.joulecoin.org'
- 'seed7.joulecoin.org'
- 'seed8.joulecoin.org'
- 'sg-aipg.miningocean.org'
- 'sg-dynex.miningocean.org'
- 'sg-neurai.miningocean.org'
- 'sg-qrl.miningocean.org'
- 'sg-upx.miningocean.org'
- 'sg-zephyr.miningocean.org'
- 'sg.minexmr.com'
- 'sheepman.mine.bz'
- 'siamining.com'
- 'sumokoin.minerrocks.com'
- 'supportxmr.com'
- 'suprnova.cc'
- 'teracycle.net'
- 'trtl.cnpool.cc'
- 'trtl.pool.mine2gether.com'
- 'turtle.miner.rocks'
- 'us-aipg.miningocean.org'
- 'us-dynex.miningocean.org'
- 'us-neurai.miningocean.org'
- 'us-west.minexmr.com'
- 'us-zephyr.miningocean.org'
- 'usxmrpool.com'
- 'viaxmr.com'
- 'webservicepag.webhop.net'
- 'xiazai.monerpool.org'
- 'xiazai1.monerpool.org'
- 'xmc.pool.minergate.com'
- 'xmo.pool.minergate.com'
- 'xmr-asia1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-us.suprnova.cc'
- 'xmr-usa.dwarfpool.com'
- 'xmr.2miners.com'
- 'xmr.5b6b7b.ru'
- 'xmr.alimabi.cn'
- 'xmr.bohemianpool.com'
- 'xmr.crypto-pool.fr'
- 'xmr.crypto-pool.info'
- 'xmr.f2pool.com'
- 'xmr.hashcity.org'
- 'xmr.hex7e4.ru'
- 'xmr.ip28.net'
- 'xmr.monerpool.org'
- 'xmr.mypool.online'
- 'xmr.nanopool.org'
- 'xmr.pool.gntl.co.uk'
- 'xmr.pool.minergate.com'
- 'xmr.poolto.be'
- 'xmr.ppxxmr.com'
- 'xmr.prohash.net'
- 'xmr.simka.pw'
- 'xmr.somec.cc'
- 'xmr.suprnova.cc'
- 'xmr.usa-138.com'
- 'xmr.vip.pool.minergate.com'
- 'xmr1min.monerpool.org'
- 'xmrf.520fjh.org'
- 'xmrf.fjhan.club'
- 'xmrfast.com'
- 'xmrigcc.graef.in'
- 'xmrminer.cc'
- 'xmrpool.de'
- 'xmrpool.eu'
- 'xmrpool.me'
- 'xmrpool.net'
- 'xmrpool.xyz'
- 'xx11m.monerpool.org'
- 'xx11mv2.monerpool.org'
- 'xxx.hex7e4.ru'
- 'zarabotaibitok.ru'
- 'zer0day.ru'
condition: selection
falsepositives:
- Unlikely
level: high