{"id":2990,"date":"2024-09-25T20:55:45","date_gmt":"2024-09-25T20:55:45","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2990"},"modified":"2025-07-29T06:55:04","modified_gmt":"2025-07-29T06:55:04","slug":"spritecoin-who-needs-phishing-when-crypto-hype-makes-the-perfect-bait","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/spritecoin-who-needs-phishing-when-crypto-hype-makes-the-perfect-bait\/","title":{"rendered":"SpriteCoin: who needs phishing when crypto-hype makes the perfect bait?"},"content":{"rendered":"
\n
\"Victor-Mousetrap\"<\/figure>\n<\/div>\n\n\n

With the hype around cryptocurrency sending values skyrocketing, it was only a matter of time until cyber criminals pounced. We\u2019re all familiar with attackers demanding payments in cryptocurrency but, in the case of SpriteCoin, hackers seem to have weaponised FOMO (fear of missing out).  

SpriteCoin ransomware takes advantage of the interest in cryptocurrency with authors advertising the supposed coin on forums, claiming it will be the next big thing. 

Users are lured into downloading the currency\u2019s wallet, which is in fact a form of ransomware. A victim believes the wallet is setting up, however all the while their files are being encrypted.  

In this case, the ransom demanded is 0.3 Monero (roughly USD$100) in payment. Adding insult to injury, once this ransom is paid a second piece of malware is dropped on to the victim\u2019s terminal. SpriteCoin not only encrypts files, but also steals user credentials, storing them using an embedded SQLite engine before sending them to the attackers’ Tor website via several POST requests.<\/p>\n\n\n\n

File Details <\/strong><\/p>\n\n\n\n

File type<\/strong><\/td>Portable Executable (.exe) file<\/td><\/tr>
Md5 hash<\/strong><\/td>14ea53020b4d0cb5acbea0bf2207f3f6<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static Analysis<\/strong>

The first thing we noticed was our sample was developed with UPX packer:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once unpacked, we were given a new sample hash: \u201cec917948471862504b19b643eb6e5e1f\u201d<\/strong><\/em>

This ransomware sample has been coded in SQL. Upon unpacking, we discovered that once browser credentials were stolen, they were then queried in SQL:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Mutex creation features are used to avoid repeated infection, check for free disk space, get file attributes, process addresses, and access the “%TEMP%” path:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

SpriteCoin also conducts “GET” and “POST” requests to various onion sites, checking target user profile details like computer name and user account name:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

The respective browser types and credential dumping qualities are shown below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Below we can see how SpriteCoin initiates various SQL commands in order to initiate a successful transaction:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

In order to maintain persistence, SpriteCoin also creates the following registry entry in the \u201cAppdata\u201d location:

\u201cHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\u201d \u00a0\/F \u00a0\/t \u00a0REG_SZ \/V “MoneroPay” \/D “%s”<\/strong><\/em>

As a result, it continues executing even after reboots.<\/p>\n\n\n\n

Dynamic analysis<\/strong>

The first thing we uncovered during behavioral analysis was that the sample initiates a connection to the IP 103.198.0.2:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This continues for multiple attempts:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once successful, a new process \u201creg.exe\u201d initiates as a child process:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Next, a connection to the onion site “jmqapf3nflatei35[.]onion[.]link” is initiated:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

SpriteCoin then sends the victim\u2019s user-name, PC name and browser credentials \u2013 the latter identified as \u2018pwdump\u2019 below:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

In terms of its ransomware capabilities, all data is encrypted with the \u201c.encrypted\u201d extension
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The following ransom message is displayed on the desktop:

Registries added<\/strong>

HKU\\S-1-5-21-1473857359-2239192248-2645835995-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MoneroPay: “C:\\Users\\<user-name>\\AppData\\Roaming\\MoneroPayAgent.exe”<\/p>\n\n\n\n

Dropped Files<\/strong>

\u2022    C:\\Users\\<user-name>\\AppData\\Roaming\\MoneroPayAgent.exe<\/em><\/strong>

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\coobgpohoikkiipiblmjeljniedjpjpf\\0.0.0.60_0\\128.png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\coobgpohoikkiipiblmjeljniedjpjpf\\0.0.0.60_0\\16.png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\coobgpohoikkiipiblmjeljniedjpjpf\\0.0.0.60_0\\32.png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\coobgpohoikkiipiblmjeljniedjpjpf\\0.0.0.60_0\\48.png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AA3i9QA[1].png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AA3kC8F[1].png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AA42hve[1].png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AA4BKPz[1].png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AA5i1hv[1].png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AA7S9LS[1].png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AA8xt7o[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AA9fheW[1].png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AA9oKjx[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AA9WclV[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AA9z9sE[1].png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AAbYAzQ[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AAgi0nZ[1].png.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AAh6aae[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AAhiLQV[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AAhplTG[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AAhsNki[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AAhuXUR[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AAhwCPy[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AAhwvlv[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AAhxFXv[1].jpg.encrypted

\u2022    C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\Content.IE5\\9D55DRDR\\AAhz38N[1].jpg.encrypted<\/p>\n\n\n\n

Indicators of Compromise<\/strong>

Packed sample<\/em><\/strong>

14ea53020b4d0cb5acbea0bf2207f3f6

Unpacked sample<\/em><\/strong>

ec917948471862504b19b643eb6e5e1f

MoneroPayAgent.exe<\/em><\/strong>

ec917948471862504b19b643eb6e5e1f  

IP Address\/CnC<\/strong><\/em>

103.198.0.2

Domain<\/strong><\/em>

jmqapf3nflatei35[.]onion[.]link:80<\/p>\n\n\n\n

Mitigations<\/strong>

Starting the PC in safe mode with networking may enable a victim to kill any suspicious processes from the task manager. If this fails, restoring the PC to some previously created restore point is the best way to return to normal functionality.\u00a0

As always, particularly when it comes to the seemingly lucrative world of cryptocurrency, do your research. If something seems too good to be true, it probably is.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

With the hype around cryptocurrency sending values skyrocketing, it was only a matter of time until cyber criminals pounced. We’re all familiar with attackers demanding payments in cryptocurrency but, in the case of SpriteCoin, hackers seem to have weaponised FOMO (fear of missing out).   SpriteCoin ransomware takes advantage of the interest in cryptocurrency with […]<\/p>\n","protected":false},"author":1,"featured_media":3012,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2990","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2990","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2990"}],"version-history":[{"count":6,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2990\/revisions"}],"predecessor-version":[{"id":4352,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2990\/revisions\/4352"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/3012"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}