Initially, it was assumed that Coqui would be a "banking Trojan", but due to lack of skills, the developer settled on a conditional keylogger that is activated only when it detects a victim on certain banking sites.
Coqui also contains anti-analysis methods such as Process Monitor, Process Hacker (anything with Process in the first part of the name). If these processes are detected, the main keylogger is opened and overwritten to render the analysis of the keylogger useless. The keylogger is also activated only if it detects a window related to banking transactions, as soon as this window goes out of focus (for example, the user opens a calculator), the keylogger is destroyed.
After starting the window monitor (ProcKill), it tries to disable the keylogger (using system (task kill / F / T / IM keylogger.exe) if it does not detect that the main window (the window in which the user is currently working) is related to something - or related to banks.
NOTE : It compares the list of bank-related titles to the current working window, this list can be expanded by simply adding window titles:
The current working window above is the command line, so it tries to disable the keylogger (in this case named svart.exe).
Now the current window above is the Wells Fargo (us bank) site, so the keylogger starts up and ProcKill checks if it works before starting it up again. If it is already running, it outputs "[!] Svart is already running!"
If the user changes their current working window and the keylogger is working, we may see a “SUCCESS” message indicating that the keylogger has been disabled due to the user changing the window.
As for the keylogger, it's pretty simple: it retrieves the logged data by sending a GET request to the specified IP address. This IP address must have the Apache server running and logging GET requests.
The dropper.c file is responsible for stealing data and schedules it to run every 12 days to steal data.
The project is written entirely in C and has been published quite recently.
Download