The malware has a valid digital signature and is distributed among cryptocurrency enthusiasts. Upon launch it downloads and compiles source code using the .Net framework. Using the same code, it then downloads Trojan.PWS.Stealer.24943. The malware creators also use the 2n****.co service to collect information on the number of installs
Technical information
To ensure its auto-run and distribution, it modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '2themoon' = '<File path>'
Network activity
Connects to:
- '2n****.co':443
- 'coin****.io':80
- 'coin****.io':443
- 'raw.githubuserco****.com':443
TCP:
HTTP GET requests:
- http://coin****.io/front
UDP:
- DNS ASK 2n****.co
- DNS ASK coin****.io
- DNS ASK raw.githubuserco****.com
More options
The Trojan creates and runs the following in hidden windows:
- '<SYSTEM32>\wisptis.exe' /ManualLaunch;'
- '%WINDIR%\microsoft.net\framework\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\u1t33wpc.cmdline"'
- '%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES948F.tmp" "%TEMP%\CSC3F93840EDD39419F8C70B8765AAF94.TMP"'
Executes the following:
- '<SYSTEM32>\wisptis.exe' /ManualLaunch;
- '%WINDIR%\microsoft.net\framework\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\u1t33wpc.cmdline"
- '%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES948F.tmp" "%TEMP%\CSC3F93840EDD39419F8C70B8765AAF94.TMP"