New Bitcoin infostealer Trojan spotted in the wild (Dec 13, 2013)


The Dell Sonicwall Threats Research team have received reports of a new info stealer Trojan aimed at Bitcoin users. As the value of Bitcoin continues to rise and reach relative stability, attackers are continually coming up with ways to either steal or generate bitcoins using compromised machines. The following Trojan contains the ability to steal various types of information from the victim machine including Bitcoin wallet.dat files.

Infection cycle:

The Trojan uses the following icon:

The Trojan makes the following DNS query:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%asvepwinupdate.exe (AutoIt executable)
  • %USERPROFILE%asvep5943564.IFW (encoded AutoIt script)
  • %USERPROFILE%asvep20070.RQT [Detected as GAV: NetWiredRC.I#enc (Trojan)]
  • %USERPROFILE%asvep65901.PPZ (command configuration file)
  • %USERPROFILE%asvep7246235.vbe
  • %USERPROFILE%asvepstart.cmd
  • %USERPROFILE%asvepstart.vbs

The Trojan adds the following keys to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce asvep “%USERPROFILE%asvepstart.vbs”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun winlogon “%WINDOWS%System32mshta.exe”

The Trojan binary contains an embedded RAR archive that contains the malicious files listed above:

5943564.IFW contains an encoded AutoIt script. The decoded version of the script contains some anti-debugging, anti vm and anti anti-virus instructions:

The AutoIt script is started by start.cmd:

The configuration file instructs the script to hide the process, disable UAC, protect the process by adding anti hooking features and prevent the task manager from loading.

The script decrypts and runs 20070.RQT [Detected as GAV: NetWiredRC.I (Trojan)] by injecting code into %WINDOWS%System32mshta.exe

The following encrypted communication was observed between the decrypted NetWiredRC.I Trojan and

The NetWiredRC.I executable is an infostealer Trojan capable of stealing data from the victim machine including Bitcoin wallet.dat files.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Netwired.A (Trojan)
  • GAV: NetWiredRC.I (Trojan)
  • GAV: NetWiredRC.I#enc (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.