OSX/PSW.Coinstealer [Threat Name] go to Threat

OSX/PSW.Coinstealer.A [Threat Variant Name]

Category trojan
Size 5386436 B
Detection created Apr 02, 2014
Detection database version 9627
Aliases Trojan.OSX.Coinstealer.a (Kaspersky)
  MacOS:StealBit-N (Avast)
  MAC.OSX.Coinstealer.A (BitDefender)
Short description

OSX/PSW.Coinstealer.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan does not create any copies of itself.


The trojan tries to appear to be legitimate application.

Information stealing

OSX/PSW.Coinstealer.A is a trojan that steals sensitive information.


The trojan may steal wallet files of the following digital currencies:

  • Bitcoin

The trojan collects the following files:

  • %home%/Library/Application Support/Bitcoin/wallet.dat
  • %home%/Library/Application Support/Bitcoin/bitcoin.conf

The trojan searches for files with the following file extensions:

  • /Users/*

It avoids files with the following filenames:

  • addr.dat
  • blkindex.dat
  • peers.dat
  • BOOTSTAT.dat

It avoids files with the following extensions:

  • .avi
  • .bmp
  • .bz
  • .bz2
  • .c
  • .cpp
  • .css
  • .csv
  • .dll
  • .exe
  • .fl
  • .gif
  • .gz
  • .h
  • .htm
  • .html
  • .ico
  • .jpg
  • .js
  • .lnk
  • .nib
  • .pdf
  • .png
  • .rar
  • .sys
  • .tar
  • .tif
  • .txt
  • .wmv
  • .z
  • .zip

Only files which contain one of the following strings are searched:

  • pool
  • main
  • key
  • name
  • addr
  • bestblock
  • defaultKey
  • version
  • setting
  • addr

The trojan attempts to send the collected files to a remote machine.


The trojan contains a list of (2) URLs. The HTTPS protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.