Damn, the person behind the “vti-rescan” file, and the “Bitcoin.Clipboard stealer” has developed a piece of malware which monitors the Clipboard environment for Bitcoin addresses.
Once it finds a Bitcoin address, it will replace it with the following static Bitcoin address:
16hfwEmF72oF5nXwr4YDxyLMuHmmGWzJMc
The great lads from Polska Cert have provided the Bitcoin address and have tweeted the virustotal scan result.
This means that we can take a look at the VirusTotal report:
- SHA256: f8407b68d4492373fcd639d763879a13b715ef5bd5c8f89aaf573759635d6fb4
- Filename: vti-rescan
- Target machine Intel 386 or later processors and compatible processors
- Compilation timestamp 2010-04-15 01:51:16
- Link date 2:51 AM 4/15/2010
- Entry Point 0x00001000
- Number of sections 4
PE sections
- Name Virtual address Virtual size Raw size Entropy MD5
- .text 4096 4401 4608 6.51 bad17e71440d5f17d4488f439c20bc02
- .rdata 12288 3620 4096 6.91 d1700d3a7ab632ad7b83d3bc4f9720cd
- .data 16384 2060 2048 6.37 ef81ffbf654561b6e484f3f564e0e0b7
- .rsrc 20480 4096 4096 7.20 c31a4d72f86ca2034e09f866ffef041d
ExifTool file metadata
MIMEType
application/octet-stream
Subsystem
Windows GUI
MachineType
Intel 386 or later, and compatibles
TimeStamp
2010:04:15 02:51:16+01:00
FileType
Win32 EXE
PEType
PE32
CodeSize
4608
LinkerVersion
8.0
FileAccessDate
2014:11:05 15:39:43+01:00
EntryPoint
0x1000
InitializedDataSize
7168
SubsystemVersion
5.1
ImageVersion
0.0
OSVersion
5.1
FileCreateDate
2014:11:05 15:39:43+01:00
UninitializedDataSize
0
File identification
| TrID | Win32 Executable MS Visual C++ (generic) (42.1%) Win64 Executable (generic) (37.3%) Win32 Dynamic Link Library (generic) (8.8%) Win32 Executable (generic) (6.0%) Generic Win/DOS Executable (2.7%) |