Spritecoin Fake Wallet App Hides Ransomware (Removal Instructions)

Spritecoin Fake Wallet App Hides Ransomware (Removal Instructions)

Security researchers have detected another attack against users that are interested in cryptocurrency. A fake application masqueraded as wallet software is currently distributing ransomware and also has an information stealer bundled in the infection package, experts warn. The fake application a.k.a. ransomware is called Spritecoin, and it was discovered by Fortinet researchers.

Threat Summary

TypeRansomware, Fake app
Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message once encryption is done.
SymptomsEncrypted files cannot be accessed. A ransom note message demands ransom in Monero.
Distribution Methodvia forum spam
Detection Tool See If Your System Has Been Affected by Spritecoin


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Spritecoin.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Spritecoin Monero Ransomware Infection Details

Researchers have witnessed unconfirmed reports which led them to believe that this attack is being spread via forum spam, and is specifically targeting users interested in cryptocurrency. During their research, experts came across what appears to be the homepage for SpriteCoin pagebin[.]com/xxqZ8VES:

The ransomware that is spread with the help of the Spritecoin fake app is asking for ransom payment in Monero cryptocurrency. In the meantime, the ransomware is pretending to a “cryptocurrency-related password store”. More particularly, the ransomware is pretending to be a Spritecoin wallet, and is asking the potential victim to create a password. But when the victim does, it will not actually download the block-chain but will in fact encrypt the data on the user’s computer.

Once the encryption process is done, the ransomware will demand a payment in Monero in exchange for the files’ decryption.

The file (also known as spritecoind[.]exe) is UPX packed for simple evasion. It displays the typical ransom note of “Your files are encrypted” and asks for a sum of 0.3 Monero which amounts to $105 USD, researchers add.

During their analysis, researchers noticed indicators that the sample has an embedded SQLite engine. This may mean that the ransomware is using SQLite to store harvested credentials.

Interestingly, the ransomware is designed to first search for Chrome credentials. If no such credentials are found, it continues with Firefox trying to access the browser’s credential store. Once this is done, it will look for specific files to encrypt, researchers reveal in their report.

Once the encryption is done, the following extension will be added to them: resume.doc.encrypted.

In addition to the ransomware carried by the Spritecoin fake wallet app, another piece of malware is dropped on the victim’s computer. It is indeed an information stealer looking to harvest certificates, as well as to perform other activities like image parsing, web camera activation, etc.

Researchers also observed that the payload file would not run in its current state without a particular patch in place. This is what they discovered:

Our test environment was a Windows XP SP3 machine, but due to a missing _snprintf_s function from msvcrt.dll the malware would not run. But it began once we patched our system to _snprintf. On initial execution, the malware copies itself to %APPDATA%\MoneroPayAgent.exe, and relaunches the new copy.

The following registry key is modified by the Spritecoin ransomware:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MoneroPay

Lastly, the ransomware can be detected as one of the following AV signatures:

  • W32/Ransom.F3F6!tr (Ransomware)
  • W32/Agent.DDFA!tr (secondary payload of Monero)
  • W32/Generic!tr (Backdoor)
  • W32/MoneroPay.F3F6!tr.ransom

Spritecoin Monero Ransomware Removal

Below you can find a set of manual removal instructions for the Spritecoin ransomware distributed in the form of a fake wallet app. Keep in mind that the threat samples show that the ransomware is complex meaning that manual removal can be challenging even for tech-savvy users. Thus, the use of a professional anti-malware program is recommended for maximum efficiency. Such a tool will scan the whole system to locate all malicious files associated with the threat so you can easily get rid of them with a few mouse clicks.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share