Python/CoinBot [Threat Name] go to Threat

Python/CoinBot.A [Threat Variant Name]

Category trojan
Size 35492864 B
Aliases Trojan.Win32.Reconyc.cnhp (Kaspersky)
  Trojan:Win32/Ronohu.A (Microsoft)
  Trojan.DownLoader12.5693 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .


When executed, the trojan copies itself into the following location:

  • %userprofile%\­pwo5\­svchost.exe

The trojan creates the following files:

  • %temp%\­IXP%variable%.TMP\­pwo5.exe (7691285 B, Python/CoinBot.A)
  • %temp%\­IXP%variable%.TMP\­21039.exe (27632792 B)

The files are then executed.

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "pwo5" = "%userprofile%\­pwo5\­svchost.exe"
Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • operating system version
  • CPU information
  • language settings
  • video controller type

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (8) URLs. It communicates via the Tor anonymity network.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • update itself to a newer version
  • set up an HTTP server
  • log keystrokes
  • perform Bitcoin mining

Please enable Javascript to ensure correct displaying of this content and refresh this page.