SHA1:
- SHA1: 9d718260ba50cd3a92414a60b4f746db76687e07
A malicious program designed to replace cryptocurrency wallets in the Windows clipboard. Check of relaunch is performed using mutexes. The Trojan saves its copy to the file %PROGRAMDATA%\mbvhost.exe. To provide its launch, the Trojan creates a task “\Iota\Micro\Miclip” in the Windows Scheduler.
In a separate thread the Trojan tracks opening windows and tries tracking launch of process dispatchers. When the latter are detected, the Trojan shuts itself down.
The Trojan tracks the status of the clipboard and tries replacing cryptocurrency wallet numbers stored there. Search for wallets is performed using the following regular expressions: