Date: 02/03/2025
Severity: Medium
Summary
The Coyote Banking Trojan is a malware targeting users in Brazil, delivered through LNK files containing PowerShell commands. These files are part of multi-stage attacks aimed at stealing sensitive information from over 70 financial apps and websites. Once activated, the Trojan performs malicious activities like keylogging, taking screenshots, and using phishing overlays to capture credentials.
Indicators of Compromise (IOC) List
URL/Domain | https://btee.geontrigame.com/mvkrouhawm https://qmnw.daowsistem.com/fayikyeund https://bhju.daowsistem.com/iwywybzqxk https://lgfd.daowsistem.com/riqojhyvnr https://leme.daowsistem.com/omzowcicwp https://igow.scortma.com/fqieghffbm https://quit.scortma.com/xzcpnnfhxi https://llue.geontrigame.com/byyyfydxyf https://cxmp.scortma.com/qfutdbtqqu https://xrxw.scortma.com/gmdroacyvi https://qfab.geontrigame.com/vfofnzihsm https://tbet.geontrigame.com/zxchzzmism https://yezh.geontrigame.com/vxewhcacbfqnsw geraatualiza.com masterdow.com geraupdate.com |
Hash |
362af8118f437f9139556c59437544ae1489376dc4118027c24c8d5ce4d84e48
330dffe834ebbe4042747bbe00b4575629ba8f2507bccf746763cacf63d655bb
33cba89eeeaf139a798b7fa07ff6919dd0c4c6cf4106b659e4e56f15b5809287
552d53f473096c55a3937c8512a06863133a97c3478ad6b1535e1976d1e0d45f
64209e2348e6d503ee518459d0487d636639fa5e5298d28093a5ad41390ef6b0
67f371a683b2be4c8002f89492cd29d96dceabdbfd36641a27be761ee64605b1
73ad6be67691b65cee251d098f2541eef3cab2853ad509dac72d8eff5bd85bc0
7cbfbce482071c6df823f09d83c6868d0b1208e8ceb70147b64c52bb8b48bdb8
839de445f714a32f36670b590eba7fc68b1115b885ac8d689d7b344189521012
bea4f753707eba4088e8a51818d9de8e9ad0138495338402f05c5c7a800695a6
f3c37b1de5983b30b9ae70c525f97727a56d3874533db1a6e3dc1355bfbf37ec
fd0ef425d34b56d0bc08bd93e6ecb11541bd834b9d4d417187373b17055c862e |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "https://btee.geontrigame.com/mvkrouhawm" or url like "https://btee.geontrigame.com/mvkrouhawm" or userdomainname like "https://llue.geontrigame.com/byyyfydxyf" or url like "https://llue.geontrigame.com/byyyfydxyf" or userdomainname like "https://bhju.daowsistem.com/iwywybzqxk" or url like "https://bhju.daowsistem.com/iwywybzqxk" or userdomainname like "https://tbet.geontrigame.com/zxchzzmism" or url like "https://tbet.geontrigame.com/zxchzzmism" or userdomainname like "https://igow.scortma.com/fqieghffbm" or url like "https://igow.scortma.com/fqieghffbm" or userdomainname like "https://leme.daowsistem.com/omzowcicwp" or url like "https://leme.daowsistem.com/omzowcicwp" or userdomainname like "https://lgfd.daowsistem.com/riqojhyvnr" or url like "https://lgfd.daowsistem.com/riqojhyvnr" or userdomainname like "https://qmnw.daowsistem.com/fayikyeund" or url like "https://qmnw.daowsistem.com/fayikyeund" or userdomainname like "geraupdate.com" or url like "geraupdate.com" or userdomainname like "https://qfab.geontrigame.com/vfofnzihsm" or url like "https://qfab.geontrigame.com/vfofnzihsm" or userdomainname like "https://yezh.geontrigame.com/vxewhcacbfqnsw" or url like "https://yezh.geontrigame.com/vxewhcacbfqnsw" or userdomainname like "https://xrxw.scortma.com/gmdroacyvi" or url like "https://xrxw.scortma.com/gmdroacyvi" or userdomainname like "https://quit.scortma.com/xzcpnnfhxi" or url like "https://quit.scortma.com/xzcpnnfhxi" or userdomainname like "https://cxmp.scortma.com/qfutdbtqqu" or url like "https://cxmp.scortma.com/qfutdbtqqu" or userdomainname like "geraatualiza.com" or url like "geraatualiza.com" or userdomainname like "masterdow.com" or url like "masterdow.com" |
Detection Query 2 |
sha256hash IN ("67f371a683b2be4c8002f89492cd29d96dceabdbfd36641a27be761ee64605b1","362af8118f437f9139556c59437544ae1489376dc4118027c24c8d5ce4d84e48","73ad6be67691b65cee251d098f2541eef3cab2853ad509dac72d8eff5bd85bc0","f3c37b1de5983b30b9ae70c525f97727a56d3874533db1a6e3dc1355bfbf37ec","7cbfbce482071c6df823f09d83c6868d0b1208e8ceb70147b64c52bb8b48bdb8","33cba89eeeaf139a798b7fa07ff6919dd0c4c6cf4106b659e4e56f15b5809287","fd0ef425d34b56d0bc08bd93e6ecb11541bd834b9d4d417187373b17055c862e","839de445f714a32f36670b590eba7fc68b1115b885ac8d689d7b344189521012","330dffe834ebbe4042747bbe00b4575629ba8f2507bccf746763cacf63d655bb","552d53f473096c55a3937c8512a06863133a97c3478ad6b1535e1976d1e0d45f","64209e2348e6d503ee518459d0487d636639fa5e5298d28093a5ad41390ef6b0","bea4f753707eba4088e8a51818d9de8e9ad0138495338402f05c5c7a800695a6") |
Reference:
https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files