MSIL/PSW.CoinStealer [Threat Name] go to Threat

MSIL/PSW.CoinStealer.Y [Threat Variant Name]

Category trojan
Size 372736 B
Aliases Trojan.Win32.Agent.netbaf (Kaspersky)
  Trojan:Win32/Dynamer!ac (Microsoft)
Short description

MSIL/PSW.CoinStealer.Y is a trojan that can interfere with the operation of certain applications.


When executed the trojan copies itself in the following locations:

  • %localappdata%\­Drpbx\­drpbx.exe
  • %appdata%\­Frfx\­firefox.exe

The trojan may create copies of itself using the following filenames:

  • %startup%\­Frfx\­firefox.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "firefox.exe" = "%appdata%\­Frfx\­firefox.exe"
Other information

The trojan displays the following dialog box:

The trojan contains a list of Bitcoin addresses.

The trojan may alter the contents of the clipboard.

The trojan replaces a Bitcoin address stored in the clipboard with an address of the attacker.

Please enable Javascript to ensure correct displaying of this content and refresh this page.