{
	"id": "d9561363-7f4f-4168-9256-089ed086f7ee",
	"created_at": "2026-04-06T00:17:14.880169Z",
	"updated_at": "2026-04-10T03:21:28.141938Z",
	"deleted_at": null,
	"sha1_hash": "a8d5f6d96e5df4ad6348605a62746cbb631bc15e",
	"title": "CoinLoader: A Sophisticated Malware Loader Campaign - Avira Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2105024,
	"plain_text": "CoinLoader: A Sophisticated Malware Loader Campaign - Avira\r\nBlog\r\nBy Avira\r\nPublished: 2019-11-28 · Archived: 2026-04-05 17:32:51 UTC\r\nMalware is constantly evolving. As the different types do so, they find new ways to bypass security solutions and\r\ntry to slip under the radar of security companies to become more persistent and hide their identity. During the last\r\nyear, Avira researchers have been monitoring and investigating a loader family. The loader caught our attention\r\nbecause of the anti-analysis methods it implemented throughout its infection cycle.\r\nOnce the loader is activated, the payload can trigger a chain of events that eventually result in the installation of\r\nadware, bots , pay-per-install campaigns, and even other Trojan Downloaders.\r\nFirst look\r\nWe were seeing DLLs with the name msimg32.dll being loaded by an executable named setup.exe. Even though\r\nthe former is not an original Windows DLL, both of them were part of the archive, with the archive typically\r\ncontaining one further resource DLL. The msimg32.dll libraries—each always containing setup.exe – with the\r\nremaining two files changing daily.\r\nIn general the Portable Executable attributes of the DLL were constantly changing, except one: The export name\r\n“AlphaBlend”. The DLL came packed using one of many popular packers like UPX, MPress, VMProtect, or using\r\ncustom packers.\r\nFigure 1: Exporting of msimg32.dll\r\nThe msimg32.dll library was executed in the analysis environment, but it failed to execute. So before we began\r\nour static analysis of the file, we assumed that it may have failed to execute because the DLL expects to be loaded\r\nby the setup.exe file along with the resource DLL. Consequently, we decided to find the archive—which we\r\nachieved with the help of Avira Threat Intelligence. The archive was always called something like “setup.zip” or\r\n“setup_\u003c4-digit random number\u003e.zip”.\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 1 of 18\n\nFigure 2: setup.zip\r\nThe file setup.exe is a digitally signed clean file, and is a component of the software.\r\nUnfortunately this time, even with the complete archive, the sample failed to execute in the analysis environment\r\nwhich included both virtual and physical environments. When we executed the sample, an error message was\r\nthrown:\r\nFigure 3: Failed execution\r\nInside msimg32.dll\r\nAs our attempt to run the sample failed, it made us even more curious to investigate it further. So we started\r\ndigging into the code of msimg32.dll to find out exactly why the sample didn’t execute.\r\nAfter initial unpacking, the sample starts to calculate the base address of the kernel32.dll from the TEB (Thread\r\nEnvironment Block)—a typical method used by malware to retrieve the API addresses required for it to execute.\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 2 of 18\n\nFigure 4: Base address calculation of kernel32.dll\r\nFigure 5: Relevant APIs retrieved in the first stage\r\nAfter resolving the APIs, the DLL collects certain information listed below:\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 3 of 18\n\nIt uses RegOpenKeyExW to check if HKCU\\Software has the Avira or ESET key name in it, and then\r\nstores the result.\r\nIt loads the resource DLL (second DLL in the archive), then loads a string from the resource DLL and\r\ninternally compares it to the string present in msimg32.dll\r\nIt retrieves the DNS cache of the machine for which the malware uses the DnsGetCacheDataTable API\r\nfunction to do. The malware checks the result of the DNS cache entries for three strings (see below for the\r\nlist of domains).\r\nThe sample checks if it has admin privileges by checking if it has access to SeRestorePrivilege using\r\nLookupPrivilegeValueA. It then launches itself with the command line\r\n“a70a003acda2a13c1bad50d2ba0139ac” to become an administrator user. A normal Windows UAC\r\nprompts appears—but this is only natural as since the process name “setup.exe” is a special process name.\r\nWindows UAC window will be prompted anyhow.\r\nFigure 6: Strings that are searched for in the DNS cache entry\r\nBased on an evaluation of the information collected in the first stage, the DLL decides to continue or not. See\r\nbelow for the conditions that must be satisfied:\r\nIf the Avira or ESET key is present in the registry under HKCU\\Software, it stops execution and exits.\r\nIf the string from the resource DLL doesn’t match the string in the loader DLL, the loader stops execution\r\nand exits. Here, the loader confirms it executes from the whole archive by checking the integrity of the\r\nresource DLL.\r\nIf “.avira” or “.eset” is present in the DNS cache, it stops execution and exits.\r\nIt retrieves the command line of the running process and checks if it contains\r\n“a70a003acda2a13c1bad50d2ba0139ac”.\r\nIf “dms.images.consumer” isn’t present in the DNS cache, it stops execution and exits.\r\na) Checks for the AVIRA key in the registry\r\nb) Compares local decrypted string with string loaded from accompanying DLL inside the archive\r\nc) Calls to DnsGetCacheDataTable\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 4 of 18\n\nd) Searches for the “.eset” string in the retrieved DNS cache list\r\ne) Looks for the specific string in the DNS cache\r\nFigure 7: Sequence of checks\r\nOf all the checks, the one which stands out the most was the one for the specific string “dms.images.consumer“.\r\nThis string was searched for within each entry inside the DNS cache—meaning that if it is found, victims will\r\nhave visited this page previously. The string looks like part of a domain name and not a complete one. None of our\r\ntelemetry sensors concluded that this was targeted, so all victims had this in their DNS cache. Consequently, we\r\nassumed that this was part of an infection chain to make the user visit the website containing the string\r\n“dms.images.consumer”. Still, questions persisted such as how come so many users ended up getting infected. To\r\nfind out why, we needed to identify how these setup.zip archives were getting onto each victim’s machine.\r\nWhy is “dms.images.consumer” important?\r\nBefore finding out how the setup.zip files ended up on the machine, we needed to determine why the domain with\r\nthe string “dms.images.consumer” is important for execution of the sample. So to find that out, we just patched\r\nthe result in a debugger to make the malware believe our analysis machines had the domain containing the\r\nrequired string. While allowing the code to continue, we found that the malware is interested in the last eleven\r\ncharacters of the domain name contain the string “dms.images.consumer”. Consequently, it was expecting\r\nsomething like this in the cache:  “dms.images.consumerXXXXXXXXXXX”, whereby it appends the last eleven\r\ncharacters with the string “13d32” as perhaps some sort of marker. So the value that it stores is\r\n“XXXXXXXXXXX13d32”, but we don’t yet know what will appear in place of X.\r\nThe next stage involves the code resolving the next set of APIs. See below for the key ones:\r\nFigure 8: Relevant APIs involved in the second stage\r\nAfter resolving the relevant APIs, the malware loads the accompanying DLL present in the same directory. It loads\r\nthe DLL with the LOAD_LIBRARY_AS_DATAFILE flag using the LoadLibraryExW API, then loads the\r\nresource named RCDATA. After this, it tries to set up the decryption platform using Bcrypt.dll. Here are the steps:\r\n1. It calls BCryptOpenAlgorithmProvider and sets the provider to AES.\r\n2. It calls BCryptGetProperty for the pszProperties ObjectLength \u0026 BlockLength.\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 5 of 18\n\n3. It calls BCryptSetProperty for the pszProperties ChainingMode \u0026 ChainingModeCBC.\r\n4. It calls BCryptGenerateSymmetricKey.\r\n5. The fifth argument, pbSecret points to the last eleven characters of “dms.images.consumer” + “13d32”, so\r\nnow it is “XXXXXXXXXXX13d32”. Consequently, we know we will not generate the required key object\r\nand fail.\r\n6. It calls BCryptDecrypt\r\n7. The second argument, pbInput, is a pointer to the resource data loaded earlier, which is in an accompanying\r\nDLL present in the same directory.\r\nRight now we can’t execute decryption since we don’t have a proper secret key.\r\nInitial infection vector\r\nNow we know why “dms.images.consumer” is important, so now we have to find the domain name which\r\ncontains “dms.images.consumer”. A simple pattern match in a URL database should have been enough, but that\r\nwon’t exactly answer the question as to how did the DNS cache of so many users machines end up containing this\r\ndomain name. So we need to find out what the initial infection vector was. The first thing we checked was where\r\nthese setup.zip files are hosted. Most of the time the setup.zip files are hosted on clean websites, which attackers\r\nhack and use as host platforms. Most of the clean websites were running outdated web servers, making it easy for\r\nattackers to run file upload vulnerability exploits.\r\nIrrespective of this, the domain name of each clean website didn’t contain the string “dms.images.consumer”. So\r\nat this stage it is clear that users may have been victims of a drive-by download attack or social engineering scam.\r\nSo we started looking back into our telemetry and began noticing that in many cases the sample was executed\r\ninside the installation directory of popular software and games. Why would a user run the sample “setup.exe”\r\nfrom these directories? The answer is that these victims were trying to install fake cracks believing them to be\r\ngenuine.\r\nSpreading malware through cracks, or keygens, isn’t new, but actors behind this campaign are always very\r\nsuccessful in getting malware into many machines. Every day, new victims from all over the world fall prey—so\r\nthere must be something driving these users to fake crack websites. If we are able to find these fake crack websites\r\nand trigger a download to get setup.zip, we should be able to find the domain which contained the string\r\n“dms.images.consumer”.\r\nThe search engine connection\r\nWe started the same way as any normal user would when searching for cracks. See below for our list of what we\r\nwould expect an average-Joe user would do to download a crack and execute it—which of course is an assumption\r\non our part:\r\nVisit any popular search engine like Google or Yahoo!\r\nSearch using keywords like “any popular software name” + “crack or serial number or full version”\r\nMost probably visit the top 10 pages\r\nDownload the crack, copy it to the target software install directory, and execute it\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 6 of 18\n\nSo if the attackers are successful at getting into the top 10 search results, there is a high probability that the user\r\nmay visit the website and fall victim. Search engines uses various algorithms and methods to rank the websites\r\nbased on search keywords. It’s something we won’t address here, but for a detailed guide see here\r\nSo assuming the above, we performed a search using google.com as our search engine. And our assumption\r\nproved correct, as we were able to obtain a setup.zip file by these means. Immediately, we checked our analysis\r\nmachines to verify if we had the domain name containing the string “dms.images.consumer” in DNS Cache.\r\nThe keyword\r\nWhen we went through the returned search results, we noticed multiple websites being hosted on Weebly.com.\r\nWeebly is a free web hosting service that offers many SEO\r\nfeatures too. We were interested only in those pages hosted on Weebly because we were able find multiple pages\r\nall with some sort of the same pattern in their code when performing a search using the same keyword. So we\r\nfine-tuned our search and added one more keyword: “weebly”.\r\nFigure 9: Search results from keyword: Double Cad,serial number,weebly\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 7 of 18\n\nFigure 9.1: Search results from keywords: Autodesk,serial number, weebly\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 8 of 18\n\nSo from the search results it was clear that attackers have created lots of fake pages and hosted them on Weebly.\r\nWhen we visited one of the pages via the search results, we were provided with a fake download page\r\nimmediately; however, when we visited the same website by entering its URL directly in the browser, we didn’t\r\nget the same result. We checked the page’s source code, and unsurprisingly it contained encrypted JavaScript—the\r\nsame was present in most of the pages.\r\nFigure 10: Encrypted script\r\nWe decoded the script and identified that there are two layers before the actual check is completed and a fake\r\ndownload page pops up.\r\nFigure 11:\r\nScript layer 1\r\nIn the second layer, the script checks if “document.referrer” contains any of the entries listed in Figure 12. If not,\r\nthe script will skip popping up the fake download page and additionally check if the user agent doesn’t match any\r\nof the entries listed in Figure 13. This comprehensive check of both aspects is done to avoid serving content to\r\ncrawlers that visit the URL directly without referrers.\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 9 of 18\n\nFigure 12: List of accepted referrers\r\nFigure 13: List of blocked user agents\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 10 of 18\n\nFigure 14: Script that avoids crawlers and pops-up a fake download page\r\nAfter passing the above checks, a fake download page pops up that tricks the user into clicking the download\r\nbutton. Then, a few redirects happen before the setup.zip file drops onto the machine. While analyzing the traffic,\r\nwe were able to find the response which provides the download link to setup.zip. It also contained an iframe that\r\nloads an image from\r\nhttps://crdms.images.consumerreports.org/t_pcard_sm,dpr_2.0,w_200,c_scale/prod/products/cr/product-groups/28984 measuring 1px X 1px  , which in turn updates the DNS cache with the domain name\r\ncrdms.images.consumerreports.org. Now it is clear how the domain name containing the string\r\n“dms.images.consumer” is present in the DNS cache of each victim’s machine. Additionally the response had an\r\nIP fingerprinting function.\r\nFigure 15: Fake download page\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 11 of 18\n\nFigure 16: Response with download link and DNS cache entry for decryption\r\nWhile tracking this threat, we noticed that most of the time attackers, are hacking clean websites and hosting the\r\nmalware. We also spotted that the hacked clean websites are poorly configured using outdated web server\r\nversions, making life easier for the attacker to hunt for and exploit these kinds of websites.\r\nFigure 17:\r\nHosted malware example 1, Open Directory\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 12 of 18\n\nFigure 18: Hosted malware example 2, Open Directory\r\nArmed with the Decryption key\r\nNow armed with knowledge about how the pre-execution check works, it is easy to reproduce this in the analysis\r\nenvironment. That said, we did a bit more static analysis just to confirm if any more checks were still happening\r\nbefore the loader proceeds. This time we edited the value of the argument “pbSecret” to “reports.org13d32”\r\nwhich is passed to the BCryptGenerateSymmetricKey API. The decrypted resource was a shell code which\r\nresolves a set APIs. It then enumerates the whole process using K32EnumProcesses. As a next step it uses\r\nProcess IDs to retrieve the handle to process using the OpenProcess function, and from the retrieved handles it\r\nloops to find the file path of all loaded processes using GetModuleFileName. From the list of file paths of the\r\nloaded process, it searches for the Avira process names listed below. If found, it won’t execute further and exits\r\nthe programs.\r\nFigure 19: Avira Antivirus\r\nprocess\r\nThe loader’s next step is to decrypt the server URL and request an update. Based on the response, the loader\r\ndecides how to continue processing.\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 13 of 18\n\nFigure 20: Connecting to the update server\r\nFrom our analysis we noticed that the server URL changes quite often, but the domain registration pattern and\r\npage to which the request is directed doesn’t:\r\ndomain name pattern—\u003calphabet, length 6~8\u003e-cloud.icu. “-cloud.icu” has been present in the domains for a long\r\ntime.\r\npage—”update.php” was the page name in all the samples we’ve analyzed so far.\r\nFurther components\r\nIn the next stage of execution, the loader drops further components into the directory under\r\n“%windir%\\System32\\microsoft\\protect\\S-\u003crandom\u003e\\ or “%windir%\\Syswow64\\microsoft\\protect\\S-\u003crandom\u003e\\\r\nand marks ownership of the folder and files to NT AUTHORITY\\SYSTEM and attributes to Hidden and System.\r\nFigure 21: List of further components dropped by the loader\r\nSecond Stage:\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 14 of 18\n\nRB_1.4.16.48.exe—Clean Apple Push executable, which imports AppleVersions.dll. Naming of the file is\r\nrandom, but the prefix is always RB_.\r\nmsvcp100.dll \u0026 msvcr100.dll—Microsoft® C Runtime Library.\r\nAppleVersions.dll \u0026 data.dll—Second stage component of the loader, which decides whether a further payload\r\nis dropped to the machine\r\nRB_1.4.16.48.exe loads AppleVersions.dll due to DLL search Order Hijacking\r\nFinal Stage:\r\nFinal Stage components are dropped by Second Stage Components of the Loader\r\nTiWorker.exe – Clean Sysinternals tool NotMyfault\r\nRiched32.dll – Final Stage component of the loader\r\nFinal stage components are usually dropped under “%windir%\\System32\\\u003crandom\u003e\\S-\u003crandom\u003e\\” or\r\n“%windir%\\Syswow64\\\u003crandom\u003e\\S-\u003crandom\u003e\\” .\r\nTiWorker.exe loads Riched32.dll due to DLL search Order Hijacking , not directly imported by NotMyfault tool\r\nbut internally loads it using LoadLibrary API\r\nThe loader tries to disable Windows Defender features by altering the corresponding Windows Defender registry\r\nsettings.\r\nFigure 22: Altering Windows Defender settings\r\nThe loader alters the machine’s power scheme using the Windows utility powercfg.exe. The commands listed\r\nbelow are typically used by coin miners and keep the machine running even though the user isn’t actually using it.\r\nIn this case, the loader seeks to actively install further payloads like pay-per-install campaigns.\r\nFigure 23: Altering the power scheme\r\nPersistence\r\nThe loader schedules the Apple Push (RB_1.4.16.48) executable to run every 15 minutes indefinitely, with the\r\nloader leveraging taskschd.dll to achieve this.\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 15 of 18\n\nFigure 24: Loader persistence\r\nPayload\r\nThe payload varied each time the loader was activated. Of course, the loader may behave differently based on the\r\nparticular system and victim’s geographical location. One thing we noticed during multiple runs of the loader was\r\nthat in most cases the download assistant was dropped to the %Temp% directory with the filename run_\u003c6-digit\r\nrandom number\u003e.exe or just \u003c6-digit random number\u003e.exe. See below for a list of each malware family that got\r\ninto the machine directly or indirectly while the loader was activated. The payloads never stayed the same and\r\nalways varied.\r\nFigure 25: Malware dropped by the loader during one of the successful execution attempts\r\nConclusion:\r\nCoinLoader is a highly sophisticated campaign that has been running for at least a year. It updates its components\r\non a daily basis, ranging from files to hosting URLs. It also tries to evade security solutions through various\r\nmeans, from initial infection vectors to the final payloads.\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 16 of 18\n\nFigure 26: Execution flow of CoinLoader\r\nCoinLoader abuses free web hosting services, exploits poorly configured clean websites to host its payloads, and\r\nfurther abuses clean software using DLL search order hijacking. Ultimately, the main reason for its success is due\r\nto users still falling victim to social engineering scams. CoinLoader once again proves that social engineering still\r\nplays a major role in spreading malware.\r\nAll components associated with the CoinLoader family are detected by Avira as TR/CoinLoader.Gen \u0026\r\nTR/AD.CoinLoader.B\r\nMitre Attack\r\nT1027–    Obfuscated Files or Information\r\nT1036–    Masquerading\r\nT1038–    DLL Search Order Hijacking\r\nT1043–    Commonly Used Port\r\nT1053–    Scheduled Task\r\nT1059–    Command-Line Interface\r\nT1089–   Disabling Security Tools\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 17 of 18\n\nT1129–   Execution through Module Load\r\nT1158–   Hidden Files and Directories\r\nIOC: CoinLoader Full IOC List available here\r\nSource: https://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nhttps://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign"
	],
	"report_names": [
		"coinloader-a-sophisticated-malware-loader-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434634,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8d5f6d96e5df4ad6348605a62746cbb631bc15e.pdf",
		"text": "https://archive.orkl.eu/a8d5f6d96e5df4ad6348605a62746cbb631bc15e.txt",
		"img": "https://archive.orkl.eu/a8d5f6d96e5df4ad6348605a62746cbb631bc15e.jpg"
	}
}