Malware gone greedy: Replaces Bitcoin addresses in clipboard with the Malware creator Bitcoin address

Damn, the person behind the “vti-rescan” file, and the “Bitcoin.Clipboard stealer” has developed a piece of malware which monitors the Clipboard environment for Bitcoin addresses.

#Malware replaces #Bitcoin address copied to clipboard with a hardcoded one (16hfwEmF72oF5nXwr4YDxyLMuHmmGWzJMc)
#Malware replaces #Bitcoin address copied to clipboard with a hardcoded one (16hfwEmF72oF5nXwr4YDxyLMuHmmGWzJMc)

 

Once it finds a Bitcoin address, it will replace it with the following static Bitcoin address:

16hfwEmF72oF5nXwr4YDxyLMuHmmGWzJMc

The great lads from Polska Cert have provided the Bitcoin address and have tweeted the virustotal scan result.

This means that we can take a look at the VirusTotal report:

  • SHA256: f8407b68d4492373fcd639d763879a13b715ef5bd5c8f89aaf573759635d6fb4
  • Filename: vti-rescan
  • Target machine Intel 386 or later processors and compatible processors
  • Compilation timestamp 2010-04-15 01:51:16
  • Link date 2:51 AM 4/15/2010
  • Entry Point 0x00001000
  • Number of sections 4

PE sections

  • Name Virtual address Virtual size Raw size Entropy MD5
  • .text 4096 4401 4608 6.51 bad17e71440d5f17d4488f439c20bc02
  • .rdata 12288 3620 4096 6.91 d1700d3a7ab632ad7b83d3bc4f9720cd
  • .data 16384 2060 2048 6.37 ef81ffbf654561b6e484f3f564e0e0b7
  • .rsrc 20480 4096 4096 7.20 c31a4d72f86ca2034e09f866ffef041d

 ExifTool file metadata

MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2010:04:15 02:51:16+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
4608

LinkerVersion
8.0

FileAccessDate
2014:11:05 15:39:43+01:00

EntryPoint
0x1000

InitializedDataSize
7168

SubsystemVersion
5.1

ImageVersion
0.0

OSVersion
5.1

FileCreateDate
2014:11:05 15:39:43+01:00

UninitializedDataSize
0

File identification

MD5 8979a73c991df6454dc6012743184318
SHA1 1fb88ef147718ea4750e68b5f64b85d20d8f3de3
SHA256 f8407b68d4492373fcd639d763879a13b715ef5bd5c8f89aaf573759635d6fb4
ssdeep
192:e109GJSAZ0UwDYK9Yr9EQ/18fwQpFSB3ZJ98AL39wYUOiOOO8OOOOOOOOOOOOOOn:Yuk/+UwcrzujmzjWYYYWrTw7ueQ
authentihash bb68a21a7da6bbbe011f73889f1b09bf35a01357b76371dcf68d7a1ad472cb18
imphash d17d1db95f848e07182f6ae48542a0df
Filesize 15.5 KB ( 15872 bytes )
FileType Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID Win32 Executable MS Visual C++ (generic) (42.1%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)