Malware gone greedy: Replaces Bitcoin addresses in clipboard with the Malware creator Bitcoin address

Damn, the person behind the “vti-rescan” file, and the “Bitcoin.Clipboard stealer” has developed a piece of malware which monitors the Clipboard environment for Bitcoin addresses.

#Malware replaces #Bitcoin address copied to clipboard with a hardcoded one (16hfwEmF72oF5nXwr4YDxyLMuHmmGWzJMc)
#Malware replaces #Bitcoin address copied to clipboard with a hardcoded one (16hfwEmF72oF5nXwr4YDxyLMuHmmGWzJMc)

 

Once it finds a Bitcoin address, it will replace it with the following static Bitcoin address:

16hfwEmF72oF5nXwr4YDxyLMuHmmGWzJMc

The great lads from Polska Cert have provided the Bitcoin address and have tweeted the virustotal scan result.

This means that we can take a look at the VirusTotal report:

  • SHA256: f8407b68d4492373fcd639d763879a13b715ef5bd5c8f89aaf573759635d6fb4
  • Filename: vti-rescan
  • Target machine Intel 386 or later processors and compatible processors
  • Compilation timestamp 2010-04-15 01:51:16
  • Link date 2:51 AM 4/15/2010
  • Entry Point 0x00001000
  • Number of sections 4

PE sections

  • Name Virtual address Virtual size Raw size Entropy MD5
  • .text 4096 4401 4608 6.51 bad17e71440d5f17d4488f439c20bc02
  • .rdata 12288 3620 4096 6.91 d1700d3a7ab632ad7b83d3bc4f9720cd
  • .data 16384 2060 2048 6.37 ef81ffbf654561b6e484f3f564e0e0b7
  • .rsrc 20480 4096 4096 7.20 c31a4d72f86ca2034e09f866ffef041d

 ExifTool file metadata

MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2010:04:15 02:51:16+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
4608