COQUI - A BANKING KEYLOGGER - Other Leaks

Initially, it was assumed that Coqui would be a "banking Trojan", but due to lack of skills, the developer settled on a conditional keylogger that is activated only when it detects a victim on certain banking sites.

Coqui also contains anti-analysis methods such as Process Monitor, Process Hacker (anything with Process in the first part of the name). If these processes are detected, the main keylogger is opened and overwritten to render the analysis of the keylogger useless. The keylogger is also activated only if it detects a window related to banking transactions, as soon as this window goes out of focus (for example, the user opens a calculator), the keylogger is destroyed.

After starting the window monitor (ProcKill), it tries to disable the keylogger (using system (task kill / F / T / IM keylogger.exe) if it does not detect that the main window (the window in which the user is currently working) is related to something - or related to banks.

NOTE : It compares the list of bank-related titles to the current working window, this list can be expanded by simply adding window titles:

?url=https%3A%2F%2Fi.imgur.com%2FD4YqyrY

The current working window above is the command line, so it tries to disable the keylogger (in this case named svart.exe).

?url=https%3A%2F%2Fi.imgur.com%2FWbywCZ6

Now the current window above is the Wells Fargo (us bank) site, so the keylogger starts up and ProcKill checks if it works before starting it up again. If it is already running, it outputs "[!] Svart is already running!"

?url=https%3A%2F%2Fi.imgur.com%2F0GnzO4E

If the user changes their current working window and the keylogger is working, we may see a “SUCCESS” message indicating that the keylogger has been disabled due to the user changing the window.

?url=https%3A%2F%2Fi.imgur.com%2FTzZf87I

As for the keylogger, it's pretty simple: it retrieves the logged data by sending a GET request to the specified IP address. This IP address must have the Apache server running and logging GET requests.

The dropper.c file is responsible for stealing data and schedules it to run every 12 days to steal data.

The project is written entirely in C and has been published quite recently.

Download

Hidden Content
You'll be able to see the hidden content once you reply to this topic or

Please Login or Register to see this Hidden Content

This leak has been reported as still working 2 times this month (2 times in total).

COQUI - A BANKING KEYLOGGER

#1
Posted 17 November 2020 - 06:14 PM

#2
Posted 18 November 2020 - 03:51 PM

#3
Posted 18 November 2020 - 03:52 PM

#4
Posted 18 November 2020 - 04:18 PM

#5
Posted 24 November 2020 - 10:19 AM

#6
Posted 24 November 2020 - 10:22 AM

#7
Posted 24 November 2020 - 03:48 PM

#8
Posted 18 May 2021 - 01:51 AM

About Us

Navigation

Extras

Help Documents

Account

COQUI - A BANKING KEYLOGGER

#1 Posted 17 November 2020 - 06:14 PM

#2 Posted 18 November 2020 - 03:51 PM

#3 Posted 18 November 2020 - 03:52 PM

#4 Posted 18 November 2020 - 04:18 PM

#5 Posted 24 November 2020 - 10:19 AM

#6 Posted 24 November 2020 - 10:22 AM

#7 Posted 24 November 2020 - 03:48 PM

#8 Posted 18 May 2021 - 01:51 AM