SHA1:
- 7a18337432a32fb717464f83a377a04f6ddd16a6
The Trojan intended to steal confidential information on computers running Microsoft Windows. Self-name is Evrial stealer, the author of the Trojan is a virus writer, hiding under the pseudonym TheBottle.
The malicious program can work both in 32-bit and 64-bit versions of Windows. The main difference of this Trojan from other stealers written by the same author is the implementation in Evrial stealer of the clipper functions, i.e., the possibility of changing the clipboard contents. This clipper is able to track and substitute in the clipboard the purse numbers of the following crypto-currencies and electronic payment systems: BTC, LTC, MONERO, ETHEREUM, QIWI, WMR, WMZ, WME.
The Trojan steals the saved passwords from the browsers Chromium, Google Chrome, Opera, Kometa, Amigo, Torch, Orbitum, Comodo Dragon and Yandex.Browser, as well as user data from FileZilla and Pidgin applications. The malicious program can transfer to the cybercriminal the files stored on the Windows desktop with the extensions .doc, .docx, .txt and .log. It copies the file wallet.dat, used by the software for working with Bitcoin crypto currency (if there is such file) on the server belonging to cybercriminals.
The Trojan is implemented as an executable EXE file, which is registered at startup on the first start. The clipping module tracks the status of the infected computer's clipboard. If it is able to determine that the value of the name of the electronic wallet in the format supported by the Trojan is placed on the clipboard, it refers to the managing server, receives from it values to which the clipboard contents should be changed, and replaces them.